bot: bump oxsecurity/megalinter from 9.2.0 to 9.4.0

[dependabot]

Bumps oxsecurity/megalinter from 9.2.0 to 9.4.0.

Release notes

Sourced from oxsecurity/megalinter's releases.

v9.4.0

What's Changed

• Core

  • Improve files browsing performances (2 PRs)
  • Optimize parallel linter processing and improve grouping logic
  • Improve performance of listing .gitignored files by sending excluded directories to git ls-files
  • If there are more than 500 .gitignored files, advise to add more excluded directories using variable ADDITIONAL_EXCLUDED_DIRECTORIES, to improve performances
  • Reduce redundant config lookups, environment copies, and dict rebuilds across config, linter, and utils modules
  • Cache subprocess environment per linter run and excluded directories per request
  • Optimize parallel linter result update from O(n²) to O(n)
  • Add support in the build of Docker images for linux/arm64 in compatible linters

• New linters

  • Add PYTHON_NBQA_MYPY for type-checking Jupyter notebooks using nbqa + mypy

• Disabled linters

  • LUA_SELENE: Kampfkarren/selene#662

• Linters enhancements

  • Use the official checkmake image by @​bdovaz
  • Spectral: Add sarif support to spectral by @​bdovaz
  • Spectral: Change cli_lint_mode to list_of_files to improve performances

• Fixes

  • Add support for SSH remote origins when building custom flavors (fixes: #6511)
  • Fix issue with plugins ignored when FLAVOR_SUGGESTIONS=false
  • Fix wrong tagging apply_fixes=True when linter has no fix options configured
  • Python mypy: Remove .ipynb from file extensions (mypy doesn't support notebooks directly) - fixes #6904
  • Fix operator precedence bug in pre_post_factory pre/post command logic
  • Fix file handle leak in GitleaksLinter
  • Fix variable name bug in utils.get_git_context_info
  • Minor fixes in logger, SqlFluffLinter, PowershellLinter, TrivyLinter

• Reporters

  • Add a link inviting to star MegaLinter
  • Display in the console reporter the working directory from which the commands are executed by @​bdovaz
  • Update WebHook reporter so it can send more events for a better integration with UI
  • When truncating long comments in markdown reports, keep the end of the text instead of the beginning (which usually contains less useful information)
  • In case GitHub Api returns 500, do not make the whole MegaLinter fail, display a warning instead
  • Azure Reporter: Use Azure DevOps Services REST API instead of unmaintained python wrapper lib

• Flavors

  • Custom flavor builder:
    • Add support for SSH remotes
    • Allow selection of platforms to build the custom flavor on (ex: linux/amd64, linux/arm64) and build compatible linters on these platforms
    • Build & release custom flavor builder image for linux/arm64

• Doc

  • JSON Schema: Add default values for file extensions and file names variables + improve descriptions

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased] (beta, main branch content)

Note: Can be used with oxsecurity/megalinter@beta in your GitHub Action mega-linter.yml file, or with oxsecurity/megalinter:beta docker image

• Core

• New linters

• Disabled linters

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

• Fixes

• Reporters

• Flavors

• Doc

• CI

• mega-linter-runner

• Linter versions upgrades (N)

  • isort from 8.0.0 to 8.0.1 on 2026-02-28

[v9.4.0] - 2026-02-28

• Core
  • Improve files browsing performances (2 PRs)
  • Optimize parallel linter processing and improve grouping logic
  • Improve performance of listing .gitignored files by sending excluded directories to git ls-files
  • If there are more than 500 .gitignored files, advise to add more excluded directories using variable ADDITIONAL_EXCLUDED_DIRECTORIES, to improve performances
  • Reduce redundant config lookups, environment copies, and dict rebuilds across config, linter, and utils modules
  • Cache subprocess environment per linter run and excluded directories per request
  • Optimize parallel linter result update from O(n²) to O(n)

... (truncated)

Commits

• 8fbdead Release MegaLinter v9.4.0
• 9f605c4 Fix custom flavor builder workflow (#7306)
• b7dcb60 Update changelog to prepare release (#7304)
• 3077b04 chore(deps): update dependency regex to v2026.2.28 (#7303)
• edba876 [automation] Auto-update linters version, help and documentation (#7299)
• 07fb84d chore(deps): update dependency python-gitlab to v8.1.0 (#7302)
• 4d42e33 chore(deps): update dependency fastapi to v0.134.0 (#7301)
• 649726c chore(deps): update dependency rumdl to v0.1.32 (#7300)
• 768b5a3 chore(deps): update dependency virtualenv to v21.1.0 (#7298)
• 7e73a76 chore(deps): update dependency eslint-plugin-jsonc to v3 (#7260)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ BASH	bash-exec	1		0	0	0.28s
✅ BASH	shellcheck	1		0	0	0.07s
✅ BASH	shfmt	1	0	0	0	0.02s
✅ COPYPASTE	jscpd	yes		no	no	1.69s
⚠️ MARKDOWN	markdownlint	2	0	3	0	0.71s
✅ MARKDOWN	markdown-table-formatter	3	0	0	0	0.35s
✅ REPOSITORY	checkov	yes		no	no	17.59s
✅ REPOSITORY	gitleaks	yes		no	no	0.26s
✅ REPOSITORY	git_diff	yes		no	no	0.0s
✅ REPOSITORY	grype	yes		no	no	34.78s
✅ REPOSITORY	syft	yes		no	no	2.61s
✅ REPOSITORY	trivy	yes		no	no	10.32s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.14s
✅ REPOSITORY	trufflehog	yes		no	no	4.6s

Detailed Issues

⚠️ MARKDOWN / markdownlint - 3 errors

SECURITY.md:7:23 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
SECURITY.md:8:23 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]
SECURITY.md:9:23 error MD060/table-column-style Table column style [Table pipe does not align with header for style "aligned"]

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters BASH_EXEC,BASH_SHELLCHECK,BASH_SHFMT,COPYPASTE_JSCPD,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG

Show us your support by starring ⭐ the repository