Bump mindsers/changelog-reader-action from 2.2.3 to 2.4.0

[dependabot]

Bumps mindsers/changelog-reader-action from 2.2.3 to 2.4.0.

Release notes

Sourced from mindsers/changelog-reader-action's releases.

v2.4.0

Added

• New changes_file output: a path to a temporary file containing the matched entry's text, for tools that consume release notes as a file (goreleaser, gh release create --notes-file, etc.). Resolves #68.
• New version_scheme input (semver default, or pep440) enabling extraction and validation of Python PEP 440 version identifiers like 0.1.0a1. Resolves #38.

Security

• Harden the reference-link parsing regex against catastrophic backtracking (CodeQL js/redos). The previous pattern had a . character in two overlapping character classes; a hostile CHANGELOG line could in principle trigger exponential matching time. The fix tightens the label character class without changing the regex's accepted inputs.

v2.3.0

Changed

• Use Node 24 as the action runtime.
• Refactor the internal entry, validation, and pipeline modules for type safety and easier maintenance. No change in observable behavior for action consumers.
• Modernize the bundled runtime dependencies: @actions/core 1.x → 2.x and the YAML parser 1.x → 2.x. The action's input/output contract is unchanged.

Fixed

• Declare semver as a runtime dependency instead of a dev dependency.
• Stop dumping the full CHANGELOG content to debug logs when parsing entries and links.
• Detect the Unreleased heading case-insensitively when picking the most recent released entry.
• Warn (instead of silently degrading) when validation_level or validation_depth inputs are invalid; fall back to safe defaults.
• Warn (instead of silently using an empty config) when an explicit config_file does not exist.
• Validate the shape of YAML/JSON config files; warn on per-field type mismatches and reject non-object roots.
• Recognize bare ## Unreleased headings in addition to the bracketed ## [Unreleased] form.

Changelog

Sourced from mindsers/changelog-reader-action's changelog.

[2.4.0] - 2026-05-20

Added

• New changes_file output: a path to a temporary file containing the matched entry's text, for tools that consume release notes as a file (goreleaser, gh release create --notes-file, etc.). Resolves #68.
• New version_scheme input (semver default, or pep440) enabling extraction and validation of Python PEP 440 version identifiers like 0.1.0a1. Resolves #38.

Security

• Harden the reference-link parsing regex against catastrophic backtracking (CodeQL js/redos). The previous pattern had a . character in two overlapping character classes; a hostile CHANGELOG line could in principle trigger exponential matching time. The fix tightens the label character class without changing the regex's accepted inputs.

[2.3.0] - 2026-05-19

Changed

• Use Node 24 as the action runtime.
• Refactor the internal entry, validation, and pipeline modules for type safety and easier maintenance. No change in observable behavior for action consumers.
• Modernize the bundled runtime dependencies: @actions/core 1.x → 2.x and the YAML parser 1.x → 2.x. The action's input/output contract is unchanged.

Fixed

• Declare semver as a runtime dependency instead of a dev dependency.
• Stop dumping the full CHANGELOG content to debug logs when parsing entries and links.
• Detect the Unreleased heading case-insensitively when picking the most recent released entry.
• Warn (instead of silently degrading) when validation_level or validation_depth inputs are invalid; fall back to safe defaults.
• Warn (instead of silently using an empty config) when an explicit config_file does not exist.
• Validate the shape of YAML/JSON config files; warn on per-field type mismatches and reject non-object roots.
• Recognize bare ## Unreleased headings in addition to the bracketed ## [Unreleased] form.

Commits

• 1faaf50 chore(release): v2.4.0
• 5f62f39 feat: support PEP 440 versions via a version_scheme input (#123)
• c8614b9 feat: add changes_file output (#68) (#122)
• 6a1d138 fix: harden link-parsing regex against catastrophic backtracking (#121)
• 695e5c9 chore(ci): use the action itself to extract release notes (#120)
• 4b39e79 chore(release): v2.3.0
• 5169600 fix: tighten input and config validation for v2.3.0 (#119)
• a5d2d13 chore(deps): upgrade toolchain to current (Node 24, @​actions/core 2, yaml 2, ...
• 5358d0b unify link handling, type rule results, extract pure pipeline (#117)
• 347fff2 Phase 4: SECURITY.md, code of conduct, issue/PR templates, commitlint (#115)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)