Bump github.com/Open-CMSIS-Pack/cbuild/v2 from 2.13.0 to 2.14.0

[dependabot]

Bumps github.com/Open-CMSIS-Pack/cbuild/v2 from 2.13.0 to 2.14.0.

Release notes

Sourced from github.com/Open-CMSIS-Pack/cbuild/v2's releases.

v2.14.0

What's Changed

• Improve tmp directory clean in Open-CMSIS-Pack/cbuild#560
• Remove --quiet for csolution convert command in Open-CMSIS-Pack/cbuild#574
• Improve skip convert option and debug messages in Open-CMSIS-Pack/cbuild#578
• Get tmpdir default base directory when access sequences are used in Open-CMSIS-Pack/cbuild#579
• Control output handling for list commands in Open-CMSIS-Pack/cbuild#589
• refactor: update debug flag description for clarity in Open-CMSIS-Pack/cbuild#594
• Fix: Failure of internal commands with quiet mode in Open-CMSIS-Pack/cbuild#595
• No warning on try deleting non-existent folder in Open-CMSIS-Pack/cbuild#601
• Add release badge to README in Open-CMSIS-Pack/cbuild#620
• Fix security vuln in Open-CMSIS-Pack/cbuild#621
• [cbuild] Improve tmp dir creation for zephyr module in Open-CMSIS-Pack/cbuild#623
• Handle solutions with multiple west contexts in Open-CMSIS-Pack/cbuild#625

Full Changelog: Open-CMSIS-Pack/cbuild@v2.13.0...v2.14.0

Commits

• 071ebdc Handle solutions with multiple west contexts
• 61af596 🤖 [TPIP] Automated report updates (#622)
• 58b11bf Update lychee.toml to exclude additional links (#624)
• 1113282 [cbuild] Improve tmp dir creation for zephyr module
• 705e1db Fix security vuln (#621)
• 2eba807 [cbuild] Add command orchestration for zephyr module generation
• b2deb9d Add release badge to README (#620)
• fa71714 chore(deps): bump github.com/aymanbagabas/go-pty from 0.2.2 to 0.2.3
• 0d804ef chore(deps): bump github/codeql-action from 4.35.4 to 4.35.5
• a50f48e chore(deps): bump step-security/harden-runner from 2.19.1 to 2.19.3
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

go.mod

Package	Version	License	Issue Type
github.com/creack/pty	1.1.24	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
gomod/github.com/Open-CMSIS-Pack/cbuild/v2	2.14.0	🟢 8.1	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits Packaging 🟢 10 packaging workflow detected License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10
gomod/github.com/aymanbagabas/go-pty	0.2.3	🟢 3.8	Details Check Score Reason Code-Review 🟢 3 Found 1/3 approved changesets -- score normalized to 3 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/creack/pty	1.1.24	Unknown	Unknown
gomod/github.com/u-root/u-root	0.16.0	🟢 7.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Security-Policy 🟢 4 security policy file detected Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing 🟢 10 project is fuzzed Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
gomod/golang.org/x/crypto	0.51.0	Unknown	Unknown
gomod/golang.org/x/exp	0.0.0-20250305212735-054e65f0b394	Unknown	Unknown
gomod/golang.org/x/sync	0.18.0	Unknown	Unknown
gomod/golang.org/x/sys	0.44.0	Unknown	Unknown
gomod/golang.org/x/term	0.43.0	Unknown	Unknown

Scanned Files

• go.mod

[qltysh]

Coverage Impact

This PR will not change total coverage.

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.