chore(deps): update mvdan/shfmt docker tag to v3.12.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
mvdan/shfmt	stage	minor	v3.11.0-alpine -> v3.12.0-alpine

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🦙 MegaLinter status: ⚠️ WARNING

⚠️ PYTHON / bandit - 67 errors

Run started:2025-07-09 05:12:22.717803

Test results:
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./.automation/build.py:11:0
10	import shutil
11	import subprocess
12	import sys

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: ''
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b105_hardcoded_password_string.html
   Location: ./.automation/build.py:2999:35
2998	                api_github_headers = {"content-type": "application/json"}
2999	                use_github_token = ""
3000	                if "GITHUB_TOKEN" in os.environ:

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: ' (with GITHUB_TOKEN)'
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b105_hardcoded_password_string.html
   Location: ./.automation/build.py:3003:39
3002	                    api_github_headers["authorization"] = f"Bearer {github_token}"
3003	                    use_github_token = " (with GITHUB_TOKEN)"
3004	                logging.info(

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./.automation/build.py:3380:14
3379	        cwd=cwd,
3380	        shell=True,
3381	        executable=None if sys.platform == "win32" else which("bash"),
3382	    )
3383	    stdout = utils.clean_string(process.stdout)
3384	    logging.info(f"Format table results: ({process.returncode})\n" + stdout)
3385	
3386	
3387	def generate_version():
3388	    # npm version
3389	    logging.info("Updating npm package version…")

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b607_start_process_with_partial_path.html
   Location: ./.automation/build.py:3391:14
3390	    cwd_to_use = os.getcwd() + "/mega-linter-runner"
3391	    process = subprocess.run(
3392	        [
3393	            "npm",
3394	            "version",
3395	            "--newversion",
3396	            RELEASE_TAG,
3397	            "-no-git-tag-version",
3398	            "--no-commit-hooks",
3399	        ],
3400	        stdout=subprocess.PIPE,
3401	        universal_newlines=True,
3402	        cwd=cwd_to_use,
3403	        shell=True,
3404	    )
3405	    print(process.stdout)

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./.automation/build.py:3403:14
3402	        cwd=cwd_to_use,
3403	        shell=True,
3404	    )
3405	    print(process.stdout)
3406	    print(process.stderr)
3407	    # Update python project version:
3408	    process = subprocess.run(
3409	        ["hatch", "version", RELEASE_TAG],
3410	        stdout=subprocess.PIPE,
3411	        text=True,
3412	        shell=True,
3413	        check=True,
3414	    )
3415	    # Update changelog
3416	    if UPDATE_CHANGELOG is True:
3417	        changelog_file = f"{REPO_HOME}/CHANGELOG.md"

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b607_start_process_with_partial_path.html
   Location: ./.automation/build.py:3408:14
3407	    # Update python project version:
3408	    process = subprocess.run(
3409	        ["hatch", "version", RELEASE_TAG],
3410	        stdout=subprocess.PIPE,
3411	        text=True,
3412	        shell=True,
3413	        check=True,
3414	    )
3415	    # Update changelog

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b602_subprocess_popen_with_shell_equals_true.html
   Location: ./.automation/build.py:3412:14
3411	        text=True,
3412	        shell=True,
3413	        check=True,
3414	    )
3415	    # Update changelog
3416	    if UPDATE_CHANGELOG is True:
3417	        changelog_file = f"{REPO_HOME}/CHANGELOG.md"
3418	        with open(changelog_file, "r", encoding="utf-8") as md_file:
3419	            changelog_content = md_file.read()

--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b605_start_process_with_a_shell.html
   Location: ./.automation/build.py:3460:4
3459	    logging.info("Running command: " + " ".join(command))
3460	    os.system(" ".join(command))
3461	

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./megalinter/Linter.py:28:0
27	import shutil
28	import subprocess
29	import sys

--------------------------------------------------
>> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.
   Severity: Medium   Confidence: High
   CWE: CWE-22 (https://cwe.mitre.org/data/definitions/22.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_calls.html#b310-urllib-urlopen
   Location: ./megalinter/Linter.py:567:24
566	                    with (
567	                        urllib.request.urlopen(remote_config_file) as response,
568	                        open(local_config_file, "wb") as out_file,

--------------------------------------------------
>> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.
   Severity: Medium   Confidence: High
   CWE: CWE-22 (https://cwe.mitre.org/data/definitions/22.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_calls.html#b310-urllib-urlopen
   Location: ./megalinter/Linter.py:646:24
645	                    with (
646	                        urllib.request.urlopen(remote_ignore_file) as response,
647	                        open(local_ignore_file, "wb") as out_file,

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=

(Truncated to 8000 characters out of 42362)

⚠️ BASH / bash-exec - 1 error

Results of bash-exec linter (version 5.2.37)
See documentation on https://megalinter.io/beta/descriptors/bash_bash_exec/
-----------------------------------------------

✅ [SUCCESS] .automation/build_schemas_doc.sh
✅ [SUCCESS] .automation/format-tables.sh
✅ [SUCCESS] .vscode/testlinter.sh
✅ [SUCCESS] build.sh
✅ [SUCCESS] entrypoint.sh
❌ [ERROR] sh/megalinter_exec
    Error: File:[sh/megalinter_exec] is not executable

⚠️ REPOSITORY / grype - 30 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME                           INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS %  RISK   
ejs                            3.1.6      3.1.7     npm     GHSA-phwq-j96m-2c2q  Critical  99.81   87.9   
tar                            6.0.1      6.1.1     npm     GHSA-3jfq-g458-7qm9  High      99.38   68.2   
requests                       2.24.0     2.31.0    python  GHSA-j8r2-6x86-q33q  Medium    90.47   3.5    
ip                             1.1.5                npm     GHSA-2p57-rm9w-gvfp  High      85.52   2.2    
minimist                       1.2.5      1.2.6     npm     GHSA-xvch-5gv4-984h  Critical  77.40   1.1    
tar                            6.0.1      6.1.9     npm     GHSA-5955-9wpr-37jh  High      75.21   0.7    
ejs                            3.1.6      3.1.10    npm     GHSA-ghr5-ch3p-vcr6  Medium    78.52   0.6    
node-fetch                     2.6.6      2.6.7     npm     GHSA-r683-j2x4-v87g  High      66.21   0.4    
minimatch                      3.0.4      3.0.5     npm     GHSA-f8q6-p94x-37v3  High      61.84   0.3    
semver                         7.3.5      7.5.2     npm     GHSA-c2qf-rxjj-qqgw  High      53.54   0.2    
tar                            6.0.1      6.1.2     npm     GHSA-r628-mhmh-qjhw  High      43.45   0.2    
ansi-regex                     3.0.0      3.0.1     npm     GHSA-93q8-gq69-wqmw  High      42.34   0.1    
cross-spawn                    7.0.3      7.0.5     npm     GHSA-3xgq-45jj-v275  High      38.96   0.1    
ip                             1.1.5      1.1.9     npm     GHSA-78xj-cgh5-2h22  Low       59.58   0.1    
tar                            6.0.1      6.2.1     npm     GHSA-f5x3-32g6-xq36  Medium    43.01   0.1    
tar                            6.1.11     6.2.1     npm     GHSA-f5x3-32g6-xq36  Medium    43.01   0.1    
braces                         3.0.2      3.0.3     npm     GHSA-grv7-fg5c-xmjg  High      37.40   0.1    
@octokit/request-error         2.1.0      5.1.1     npm     GHSA-xx4v-prfh-6cgc  Medium    45.50   0.1    
http-cache-semantics           4.1.0      4.1.1     npm     GHSA-rc47-6667-2j5j  High      37.09   0.1    
@octokit/request               5.6.2      8.4.1     npm     GHSA-rmvr-2pp2-xj38  Medium    43.05   0.1    
micromatch                     4.0.4      4.0.8     npm     GHSA-952p-6rrq-rcjv  Medium    41.15   < 0.1  
@octokit/plugin-paginate-rest  2.17.0     9.2.2     npm     GHSA-h5c3-5r3r-rr8q  Medium    28.46   < 0.1  
debug                          4.2.0      4.3.1     npm     GHSA-gxpj-cx7g-858c  Low       27.94   < 0.1  
requests                       2.24.0     2.32.4    python  GHSA-9hjg-9r4m-mvj7  Medium    19.57   < 0.1  
requests                       2.24.0     2.32.0    python  GHSA-9wx4-h78v-vm56  Medium    13.15   < 0.1  
tar                            6.0.1      6.1.9     npm     GHSA-qq89-hq3f-393p  High      3.93    < 0.1  
brace-expansion                1.1.11     1.1.12    npm     GHSA-v6h2-p8h4-qcjw  Low       16.13   < 0.1  
brace-expansion                2.0.1      2.0.2     npm     GHSA-v6h2-p8h4-qcjw  Low       16.13   < 0.1  
tar                            6.0.1      6.1.7     npm     GHSA-9r2w-394v-53qc  High      1.94    < 0.1  
word-wrap                      1.2.3      1.2.4     npm     GHSA-j8xg-fqg3-53r7  Medium    3.74    < 0.1
[0033] ERROR discovered vulnerabilities at or above the severity threshold

⚠️ SPELL / lychee - 1 error

[WARN ] WARNING: `--exclude-mail` is deprecated and will soon be removed; E-Mail is no longer checked by default. Use `--include-mail` to enable E-Mail checking.
[404] https://htmlhint.com/docs/user-guide/list-rules | Network error: Not Found
📝 Summary
---------------------
🔍 Total.........2349
✅ Successful....1896
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.......452
❓ Unknown..........0
🚫 Errors...........1

Errors in megalinter/descriptors/html.megalinter-descriptor.yml
[404] https://htmlhint.com/docs/user-guide/list-rules | Network error: Not Found

⚠️ MARKDOWN / markdownlint - 307 errors

.github/copilot-instructions.md:9 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"]
.github/copilot-instructions.md:156 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"]
.github/linters/valestyles/proselint/README.md:12:601 MD013/line-length Line length [Expected: 600; Actual: 755]
CHANGELOG.md:1970:87 MD059/descriptive-link-text Link text should be descriptive [Context: "[here]"]
docs/badge.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Badge"]
docs/config-activation.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Activation and deactivation"]
docs/config-apply-fixes.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Apply fixes"]
docs/config-cli-lint-mode.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "CLI lint mode"]
docs/config-file.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: ".mega-linter.yml file"]
docs/config-filtering.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Filter linted files"]
docs/config-linters.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Linter specific variables"]
docs/config-postcommands.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Post-commands"]
docs/config-precommands.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Pre-commands"]
docs/config-variables-security.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Environment variables security"]
docs/config-variables.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Common variables"]
docs/configuration.md:9 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "Configuration"]
docs/descriptors/action_actionlint.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "actionlint"]
docs/descriptors/action.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "ACTION"]
docs/descriptors/ansible_ansible_lint.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "ansible-lint"]
docs/descriptors/ansible_ansible_lint.md:8:601 MD013/line-length Line length [Expected: 600; Actual: 795]
docs/descriptors/ansible.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "ANSIBLE"]
docs/descriptors/api_spectral.md:14:601 MD013/line-length Line length [Expected: 600; Actual: 746]
docs/descriptors/api.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "API"]
docs/descriptors/arm_arm_ttk.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "arm-ttk"]
docs/descriptors/arm.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "ARM"]
docs/descriptors/bash_bash_exec.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "bash-exec"]
docs/descriptors/bash_shellcheck.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "shellcheck"]
docs/descriptors/bash_shellcheck.md:8:601 MD013/line-length Line length [Expected: 600; Actual: 785]
docs/descriptors/bash_shfmt.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "shfmt"]
docs/descriptors/bash.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "BASH"]
docs/descriptors/bicep_bicep_linter.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "bicep_linter"]
docs/descriptors/bicep.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "BICEP"]
docs/descriptors/c_clang_format.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "clang-format"]
docs/descriptors/c_clang_format.md:8:601 MD013/line-length Line length [Expected: 600; Actual: 768]
docs/descriptors/c_cppcheck.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "cppcheck"]
docs/descriptors/c_cpplint.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "cpplint"]
docs/descriptors/c.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "C"]
docs/descriptors/clojure_cljstyle.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "cljstyle"]
docs/descriptors/clojure_cljstyle.md:8:601 MD013/line-length Line length [Expected: 600; Actual: 768]
docs/descriptors/clojure.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "CLOJURE"]
docs/descriptors/cloudformation_cfn_lint.md:14:601 MD013/line-length Line length [Expected: 600; Actual: 865]
docs/descriptors/cloudformation.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "CLOUDFORMATION"]
docs/descriptors/coffee_coffeelint.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "coffeelint"]
docs/descriptors/coffee_coffeelint.md:8:601 MD013/line-length Line length [Expected: 600; Actual: 746]
docs/descriptors/coffee.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "COFFEE"]
docs/descriptors/copypaste.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "COPYPASTE"]
docs/descriptors/cpp_clang_format.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "clang-format"]
docs/descriptors/cpp_clang_format.md:8:601 MD013/line-length Line length [Expected: 600; Actual: 768]
docs/descriptors/cpp_cppcheck.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "cppcheck"]
docs/descriptors/cpp_cpplint.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "cpplint"]
docs/descriptors/cpp.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "C++"]
docs/descriptors/csharp_csharpier.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "csharpier"]
docs/descriptors/csharp_csharpier.md:8:601 MD013/line-length Line length [Expected: 600; Actual: 750]
docs/descriptors/csharp_dotnet_format.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "dotnet-format"]
docs/descriptors/csharp_roslynator.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "roslynator"]
docs/descriptors/csharp_roslynator.md:8:601 MD013/line-length Line length [Expected: 600; Actual: 770]
docs/descriptors/csharp.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "C\#"]
docs/descriptors/css_stylelint.md:14:601 MD013/line-length Line length [Expected: 600; Actual: 788]
docs/descriptors/css.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "CSS"]
docs/descriptors/dart_dartanalyzer.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "dartanalyzer"]
docs/descriptors/dart.md:8 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "DART"]
docs/descriptors/dockerfile_hadolint.md:7 MD025/single-title/single-h1 Multiple top-level headings in the same document [Context: "hadolint"]
docs/descriptors/dockerfile_hadolint.md:8:601 MD013/line-length Line length [Expected: 600;

(Truncated to 8000 characters out of 38125)

✅ Linters with no issues

black, checkov, cspell, flake8, git_diff, hadolint, isort, jscpd, jsonlint, markdown-table-formatter, mypy, npm-groovy-lint, prettier, pylint, ruff, secretlint, shellcheck, shfmt, spectral, syft, trivy, trivy-sbom, trufflehog, v8r, v8r, xmllint, yamllint

See detailed report in MegaLinter reports