action-allowlist-review: bump untitaker/hyperlink from 0.2.0 to 0.2.1 in /.github/actions/for-dependabot-triggered-reviews

[dependabot]

Bumps untitaker/hyperlink from 0.2.0 to 0.2.1.

Release notes

Sourced from untitaker/hyperlink's releases.

0.2.1

Install hyperlink 0.2.1

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/untitaker/hyperlink/releases/download/0.2.1/hyperlink-installer.sh | sh

Install prebuilt binaries into your npm project

npm release is broken for this version, patches welcome. untitaker/hyperlink#197

npm install @untitaker/hyperlink@0.2.1

Download hyperlink 0.2.1

File	Platform	Checksum
hyperlink-aarch64-apple-darwin.tar.xz	Apple Silicon macOS	checksum
hyperlink-x86_64-apple-darwin.tar.xz	Intel macOS	checksum
hyperlink-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
hyperlink-x86_64-unknown-linux-gnu.tar.xz	x64 Linux	checksum

Commits

• 1ae2cef version 0.2.1
• e31ff72 Remove use of BumpVec and fix some edgecases around paragraph handling
• 9c2dac0 Reduce use of resizing BumpString
• fb36f8c Simplify code
• ced1a29 Hide BumpVec usage in HyperlinkEmitter in favor of callbacks
• 71d1bba remove duplicate function
• b1aa1e8 Ignore dynamic redirects, fix #194
• c89dcd6 Allow new clippy lint and remove third-party actions
• f64dde0 Bump rand from 0.7.3 to 0.9.3 in /tools/html-bench (#195)
• 48aaa46 Move to HashMap in collector, some other perf improvements
• Additional commits viewable in compare view

[potiuk]

@dependabot rebase

[potiuk]

The verify gate flags one unverified download — the curl … | sh of the cargo-dist installer in scripts/install.sh. Two things worth weighing:

• No new risk in the delta: action.yml and scripts/install.sh are byte-identical to the already-approved 0.2.0 (install.sh sha 08edeb5…); only internal Rust source changed. The cargo-dist installer also self-verifies the downloaded binary against embedded checksums — the one unverified step is the fetch of the installer script itself.
• I've filed Action fetches release installer via curl … | sh without verifying the script itself untitaker/hyperlink#198 upstream to harden that fetch (verify the installer against the published sha256.sum before running it).

Not merging for now. @dfoulks1 @ppkarwasz — do we wait for upstream #198, or merge this as a no-new-risk bump given it's identical to the approved 0.2.0? Your call appreciated.

[potiuk]

Context for reviewers / status update. The verify failure here is the single unverified download in scripts/install.sh — curl … hyperlink-installer.sh | sh — which is unchanged from the already-approved 0.2.0, so it's not a regression in this bump.

This was raised with the upstream maintainer and discussed in untitaker/hyperlink#198: a checksum shipped beside the installer in the same (mutable) release doesn't actually buy anything, so the fix has to anchor trust outside the release. There's now a draft PR — untitaker/hyperlink#201 — that enables cargo-dist's GitHub build attestations and has install.sh verify the installer with gh attestation verify before running it.

Suggest holding this bump until that lands upstream and ships in a release, after which future hyperlink bumps verify cleanly.

[potiuk]

Worked with the author of hyperling and not only I added attestations when building the binaries, but also modernized his actions. Very nice person even if initially I had some mishap with spamming his repo with multiple issues (fixed already).

The https://github.com/untitaker/hyperlink/releases/tag/0.3.1 in a couple of days should get green.

[potiuk]

closing until it happens.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.