chore(deps): update dependency conventional-changelog-conventionalcommits to v9.1.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
conventional-changelog-conventionalcommits (source)	devDependencies	minor	9.0.0 → 9.1.0

---

Release Notes

conventional-changelog/conventional-changelog (conventional-changelog-conventionalcommits)

v9.1.0

Compare Source

Features

• scope option can be an array of strings (#​1391) (81da809)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Overview

Image reference	djaytan/papermc-server:1.21.4	djaytan/papermc-server:test
- digest	dd01deeeb832	85650fcb7f6b
- tag	1.21.4	test
- stream	latest
- provenance	221f80c
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	133 MB	133 MB (-3 B)
- packages	170	177 (+7)
Base Image	alpine:3.22.0 also known as: • 3 • 3.22 • latest	alpine:3 also known as: • 3.22 • latest
- vulnerabilities

Policies (1 improved, 1 worsened, 3 missing data)

Policy Name	djaytan/papermc-server:1.21.4	djaytan/papermc-server:test	Change	Standing
No unapproved base images	⚠️ 1	❓ No data
Default non-root user	✅	✅		No Change
No AGPL v3 licenses	✅	✅		No Change
No fixable critical or high vulnerabilities	⚠️ 29	⚠️ 17	-12	Improved
No high-profile vulnerabilities	✅	✅		No Change
No outdated base images	✅	❓ No data
SonarQube quality gates passed	❓ No data	❓ No data
Supply chain attestations	✅	⚠️ 2	+2	Worsened

Packages and Vulnerabilities (9 package changes and 0 vulnerability changes)

• ➕ 8 packages added
• ➖ 1 packages removed
• 165 packages unchanged

Changes for packages of type apk (7 changes)

	Package	Version djaytan/papermc-server:1.21.4	Version djaytan/papermc-server:test
➕	alpine-base		3.22.0-r0
➕	ca-certificates		20241121-r2
➕	gcc		14.2.0-r6
➕	ncurses		6.5_p20250503-r0
➕	openssl		3.5.0-r0
			Added vulnerabilities (16):
➕	pax-utils		1.3.8-r1
➕	xz		5.8.1-r0

Changes for packages of type generic (2 changes)

	Package	Version djaytan/papermc-server:1.21.4	Version djaytan/papermc-server:test
➖	openjdk	21.0.7
➕	openjdk		21.0.7

[github-actions]

🔍 Vulnerabilities of djaytan/papermc-server:test

📦 Image Reference djaytan/papermc-server:test

digest	sha256:85650fcb7f6b06edbbddffdced7f82907cd1541c761e7bb9f1b47572345e7194
vulnerabilities
platform	linux/amd64
size	133 MB
packages	177

📦 Base Image alpine:3

also known as	3.22 3.22.0 latest
digest	sha256:08001109a7d679fe33b04fa51d681bd40b975d8f5cea8c3ef6c0eccb6a7338ce
vulnerabilities

stdlib 1.24.4 (golang) pkg:golang/stdlib@1.24.4 Affected range <1.24.13 Fixed version 1.24.13 EPSS Score 0.014% EPSS Percentile 2nd percentile Description During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.017% EPSS Percentile 4th percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.023% EPSS Percentile 6th percentile Description The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.031% EPSS Percentile 8th percentile Description The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.038% EPSS Percentile 11th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.018% EPSS Percentile 4th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.018% EPSS Percentile 4th percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.016% EPSS Percentile 3rd percentile Description archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.010% EPSS Percentile 1st percentile Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. Affected range >=1.24.0 <1.24.6 Fixed version 1.24.6 EPSS Score 0.020% EPSS Percentile 5th percentile Description If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.024% EPSS Percentile 6th percentile Description During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.022% EPSS Percentile 5th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.014% EPSS Percentile 2nd percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.030% EPSS Percentile 8th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.032% EPSS Percentile 9th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.032% EPSS Percentile 9th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 3rd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

openssl 3.5.0-r0 (apk) pkg:apk/alpine/openssl@3.5.0-r0?os_name=alpine&os_version=3.22 Affected range <3.5.5-r0 Fixed version 3.5.5-r0 EPSS Score 0.662% EPSS Percentile 71st percentile Description Affected range <3.5.4-r0 Fixed version 3.5.4-r0 EPSS Score 0.031% EPSS Percentile 9th percentile Description Affected range <3.5.5-r0 Fixed version 3.5.5-r0 EPSS Score 0.059% EPSS Percentile 18th percentile Description Affected range <3.5.5-r0 Fixed version 3.5.5-r0 EPSS Score 0.070% EPSS Percentile 21st percentile Description Affected range <3.5.5-r0 Fixed version 3.5.5-r0 EPSS Score 0.056% EPSS Percentile 17th percentile Description Affected range <3.5.4-r0 Fixed version 3.5.4-r0 EPSS Score 0.019% EPSS Percentile 4th percentile Description Affected range <3.5.1-r0 Fixed version 3.5.1-r0 EPSS Score 0.023% EPSS Percentile 6th percentile Description Affected range <3.5.5-r0 Fixed version 3.5.5-r0 EPSS Score 0.011% EPSS Percentile 1st percentile Description Affected range <3.5.4-r0 Fixed version 3.5.4-r0 EPSS Score 0.031% EPSS Percentile 9th percentile Description Affected range <3.5.5-r0 Fixed version 3.5.5-r0 EPSS Score 0.059% EPSS Percentile 18th percentile Description Affected range <3.5.5-r0 Fixed version 3.5.5-r0 EPSS Score 0.048% EPSS Percentile 15th percentile Description Affected range <3.5.5-r0 Fixed version 3.5.5-r0 EPSS Score 0.015% EPSS Percentile 3rd percentile Description Affected range <3.5.5-r0 Fixed version 3.5.5-r0 EPSS Score 0.005% EPSS Percentile 0th percentile Description Affected range <3.5.5-r0 Fixed version 3.5.5-r0 EPSS Score 0.070% EPSS Percentile 21st percentile Description Affected range <3.5.5-r0 Fixed version 3.5.5-r0 EPSS Score 0.014% EPSS Percentile 2nd percentile Description Affected range <3.5.5-r0 Fixed version 3.5.5-r0 EPSS Score 0.005% EPSS Percentile 0th percentile Description

org.apache.commons/commons-compress 1.5 (maven) pkg:maven/org.apache.commons/commons-compress@1.5 Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.592% EPSS Percentile 69th percentile Description When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.062% EPSS Percentile 77th percentile Description When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.402% EPSS Percentile 80th percentile Description When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Excessive Iteration Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.598% EPSS Percentile 69th percentile Description When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.3 <1.26.0 Fixed version 1.26.0 CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H EPSS Score 0.018% EPSS Percentile 4th percentile Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

com.google.protobuf/protobuf-java 4.26.1 (maven) pkg:maven/com.google.protobuf/protobuf-java@4.26.1 Improper Input Validation Affected range >=4.0.0-RC1 <4.27.5 Fixed version 4.27.5 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.085% EPSS Percentile 25th percentile Description Summary When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team ecosystem@trailofbits.com Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime. Severity CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication) This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. Proof of Concept For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness. Remediation and Mitigation We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages: protobuf-java (3.25.5, 4.27.5, 4.28.2) protobuf-javalite (3.25.5, 4.27.5, 4.28.2) protobuf-kotlin (3.25.5, 4.27.5, 4.28.2) protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2) com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)

golang.org/x/net 0.34.0 (golang) pkg:golang/golang.org/x/net@0.34.0 Affected range <0.45.0 Fixed version 0.45.0 EPSS Score 0.059% EPSS Percentile 18th percentile Description The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. Affected range <0.45.0 Fixed version 0.45.0 EPSS Score 0.059% EPSS Percentile 18th percentile Description The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <0.38.0 Fixed version 0.38.0 CVSS Score 5.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N EPSS Score 0.119% EPSS Percentile 31st percentile Description The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). Misinterpretation of Input Affected range <0.36.0 Fixed version 0.36.0 CVSS Score 4.4 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L EPSS Score 0.024% EPSS Percentile 6th percentile Description Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

golang.org/x/net 0.39.0 (golang) pkg:golang/golang.org/x/net@0.39.0 Affected range <0.45.0 Fixed version 0.45.0 EPSS Score 0.059% EPSS Percentile 18th percentile Description The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. Affected range <0.45.0 Fixed version 0.45.0 EPSS Score 0.059% EPSS Percentile 18th percentile Description The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

busybox 1.37.0-r18 (apk) pkg:apk/alpine/busybox@1.37.0-r18?os_name=alpine&os_version=3.22 Affected range <=1.37.0-r19 Fixed version Not Fixed EPSS Score 0.052% EPSS Percentile 16th percentile Description Affected range <1.37.0-r20 Fixed version 1.37.0-r20 EPSS Score 0.031% EPSS Percentile 8th percentile Description Affected range <1.37.0-r20 Fixed version 1.37.0-r20 EPSS Score 0.023% EPSS Percentile 5th percentile Description

commons-lang/commons-lang 2.6 (maven) pkg:maven/commons-lang/commons-lang@2.6 Uncontrolled Recursion Affected range >=2.0 <=2.6 Fixed version Not Fixed CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N EPSS Score 0.022% EPSS Percentile 5th percentile Description Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🎉 This PR is included in version 3.0.2 🎉

The release is available on:

• v3.0.2
• GitHub release

Your semantic-release bot 📦🚀