chore(deps): update dependency aquaproj/aqua-registry to v4.525.0

[renovate]

This PR contains the following updates:

Package	Update	Change
aquaproj/aqua-registry	minor	v4.523.0 → v4.525.0

---

Release Notes

aquaproj/aqua-registry (aquaproj/aqua-registry)

v4.525.0

Compare Source

Issues | Pull Requests | aquaproj/aqua-registry@v4.524.1...v4.525.0

🎉 New Packages

#​55397 #​55401 CycloneDX/cdxgen - Creates CycloneDX Bill of Materials (BOM) from source code and container images @​sebdanielsson
#​55389 fallow-rs/fallow: Codebase intelligence for TypeScript and JavaScript. Free static layer: unused code, duplication, circular deps, complexity hotspots, architecture boundaries. Optional paid runtime layer: hot-path review and cold-path deletion evidence from real production traffic. Rust-native, sub-second, zero-config framework support @​wancup

Fixes

#​55395 haskell/ghcup-hs: Support Windows @​cprecioso
#​55393 Remove the verification of release attestations

v4.524.1

Compare Source

Issues | Pull Requests | aquaproj/aqua-registry@v4.524.0...v4.524.1

Fixes

#​55237 oracle.com/sqlcl: Fetch available versions and checksums from jasonlyle88/sqlcl-releases @​jasonlyle88
#​55311 oxc-project/oxc/oxlint: Support v1.28.0 or later @​hituzi-no-sippo
#​55314 suzuki-shunsuke/docfresh: Support v0.3.0 or later
#​55313 suzuki-shunsuke/ghaperf: Support v1.0.0 or later
#​55310 suzuki-shunsuke/ghir: Support ghir v1.0.0 or later

v4.524.0

Compare Source

Issues | Pull Requests | aquaproj/aqua-registry@v4.523.0...v4.524.0

🎉 New Packages

#​55083 lexfrei/claudeline - Claude Code statusline with real usage limits from Anthropic API @​sanchpet

Security

#​55150 ubugeeei-prod/vize: Cosign config @​scop

Fixes

#​55131 SonarSource/sonarqube-cli: Fixing format in URL @​3PeatVR
#​55084 Rename endevco/aube to jdx/aube @​jdx
#​55064 Rename endevco/pitchfork to jdx/pitchfork
#​55071 Update codeberg.org/mergiraf/mergiraf @​A2va

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • Between 09:00 AM and 06:59 PM, Monday through Friday (* 9-18 * * 1-5)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: ea3bb6f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

🤖 Claude Dependency Review

📦 Update Summary

• Library: aquaproj/aqua-registry
• Version: v4.523.0 → v4.524.0
• Change Type: Minor

📝 Release Notes

https://github.com/aquaproj/aqua-registry/releases/tag/v4.524.0

🔐 Security Assessment

• Risk: 🟢 Low
• Known vulnerabilities: None found. No CVEs or GitHub Security Advisories were identified for either v4.523.0 or v4.524.0.
• Supply-chain notes: No red flags detected. aqua-registry is a well-maintained open-source project with regular updates. This version update is a routine minor release containing new package additions, security improvements (Cosign configuration), and maintenance fixes. The registry enforces checksums by default (as configured in aqua.yaml), providing protection against supply-chain attacks. No maintainer changes, suspicious lifecycle scripts, or abnormal version jumps were observed.

✨ Main Changes

🎉 New Packages

• lexfrei/claudeline - A Claude Code statusline tool that displays real usage limits from the Anthropic API

🔒 Security Updates

• ubugeeei-prod/vize - Enhanced Cosign configuration for improved artifact verification

🐛 Fixes

• SonarSource/sonarqube-cli - Fixed URL format issue in package definition
• Package Renames:
  • endevco/aube relocated to jdx/aube
  • endevco/pitchfork relocated to jdx/pitchfork
• codeberg.org/mergiraf/mergiraf - Updated package reference

These changes are registry metadata updates that improve package definitions but do not affect the existing tools this project uses (actionlint, ghalint, buf).

🔍 Impact Analysis

📁 Usage Locations

The aqua-registry is used in the following 9 locations across the codebase:

1. aqua.yaml

   ref: v4.524.0 # renovate: depName=aquaproj/aqua-registry

   • Feature used: Standard registry reference for aqua package manager
   • Impact: None. The registry version update is transparent to the installed packages (actionlint, ghalint, buf).

2. aqua-checksums.json

   {
     "id": "registries/github_content/github.com/aquaproj/aqua-registry/v4.524.0/registry.yaml",
     "checksum": "1A8FB074F184555E3E370F26D1026EDAC34377D3B9666EFAD2504EFC940BDF51",
     "algorithm": "sha256"
   }

   • Feature used: Checksum verification for registry integrity
   • Impact: None. The checksum was automatically updated to match the new registry version.

3. .github/actions/install-aqua/action.yml

   - name: Install aqua
     uses: aquaproj/aqua-installer@​11dd79b4e498d471a9385aa9fb7f62bb5f52a73c # v4.0.4
     with:
       aqua_version: ${{ inputs.aqua_version }}

   • Feature used: Custom GitHub Action that installs aqua package manager
   • Impact: None. This action installs the aqua CLI itself (v2.53.2), which then reads the registry version from aqua.yaml.

4. .github/workflows/github-actions-lint.yml

   - name: Install aqua
     uses: ./.github/actions/install-aqua

   • Feature used: Workflow that uses aqua to install actionlint and ghalint for GitHub Actions linting
   • Impact: None. The workflow installs tools from the registry but none of the registry changes affect actionlint or ghalint package definitions.

5. .github/workflows/deploy.yml

   - name: Install aqua
     uses: ./.github/actions/install-aqua

   • Feature used: Deployment workflow that uses aqua-managed tools
   • Impact: None. This workflow installs aqua before deploying the example workspace.

6. .github/workflows/migration.yml

   - name: Install aqua
     uses: ./.github/actions/install-aqua

   • Feature used: Migration test workflow that uses aqua-managed tools
   • Impact: None. This workflow installs aqua before running TailorDB migration tests.

7. .github/workflows/ci.yml

   - name: Install aqua
     uses: ./.github/actions/install-aqua

   • Feature used: CI workflow that uses aqua-managed tools
   • Impact: None. This workflow installs aqua before running lint, format, and type checks.

8. packages/tailor-proto/buf.gen.yaml

   version: v2
   clean: true
   plugins:
     - remote: buf.build/bufbuild/es:v2.6.3
       out: ./src
       include_imports: true
   inputs:
     - git_repo: https://github.com/tailor-inc/proto.git

   • Feature used: buf (Protocol Buffers tooling) installed via aqua, used for code generation
   • Impact: None. The buf package definition (v1.70.0) in the registry remains unchanged.

9. packages/tailor-proto/package.json

   "scripts": {
     "gen": "buf generate"
   }

   • Feature used: Executes buf command for Protocol Buffer code generation
   • Impact: None. The buf tool version is pinned in aqua.yaml and unaffected by this registry update.

Summary: The aqua-registry update contains no breaking changes for this project. All three tools used from the registry (actionlint@​v1.7.12, ghalint@​v1.5.6, buf@​v1.70.0) have unchanged package definitions between v4.523.0 and v4.524.0. The update adds new packages and fixes unrelated package definitions, making it a safe, routine maintenance update.

✅ Recommended Actions

None. This is a routine registry metadata update with no impact on existing functionality. The update can be merged safely.

• ✅ No breaking changes affecting used tools
• ✅ No security vulnerabilities
• ✅ Checksums updated correctly
• ✅ No action required for existing packages (actionlint, ghalint, buf)

---

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.