chore: bump line-bot-sdk from 3.17.1 to 3.20.0

[dependabot]

Bumps line-bot-sdk from 3.17.1 to 3.20.0.

Release notes

Sourced from line-bot-sdk's releases.

v3.20.0 Add forbidPartialDelivery option to the Narrowcast Limit Object

What's Changed

• Add forbidPartialDelivery option to the Narrowcast Limit Object by @​github-actions[bot] in line/line-bot-sdk-python#873

Add forbidPartialDelivery option to the Narrowcast Limit Object

We add a new forbidPartialDelivery option to the Narrowcast Limit Object.

When set to true, this option prevents messages from being delivered to only a subset of the target audience. If partial delivery occurs, the narrowcast request will succeed but fail asynchronously. You can verify whether the message delivery was canceled by checking the narrowcast message progress.

This property can only be set to true when upToRemainingQuota is also true.

For more details, see the https://developers.line.biz/en/news/2025/10/21/narrowcast-message-update/.

Example:

line_bot_api.narrowcast(
    NarrowcastRequest(
        messages=[TextMessage(text=event.message.text)],
        limit=Limit(
            max=1000,
            upToRemainingQuota=True,
            forbidPartialDelivery=True
        )
    )
)

(original PR is line/line-openapi#114)

Use cases

Previously, when upToRemainingQuota was set to true, messages could be partially delivered if the remaining message quota was smaller than the target audience size.
With the new forbidPartialDelivery option, you can now ensure that such partial deliveries do not occur.

• Ensuring that a campaign message is sent only if it can reach the full target audience, avoiding incomplete distributions.

line-openapi updates

... (truncated)

Commits

• 1d31be8 Add forbidPartialDelivery option to the Narrowcast Limit Object (#873)
• fbf5f1b chore(deps): update dependency tox to v4.31.0 (#868)
• 7d6225f Support Python 3.14 (#871)
• a4ea58a chore(deps): update actions/setup-node action to v6 (#869)
• ed884a5 Prevent command injection when creating release notes (#866)
• be83749 chore(deps): update actions/stale action to v10.1.0 (#867)
• 7f2e163 chore(deps): update dependency tox to v4.30.3 (#865)
• 275325a fix(deps): update dependency ch.qos.logback:logback-classic to v1.5.19 (#863)
• 04d5bde fix(deps): update dependency org.openapitools:openapi-generator to v7.16.0 (#...
• 221713e chore(deps): update dependency org.apache.maven.plugins:maven-enforcer-plugin...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Preview Has Been Created or Updated!

The Preview Image URL is ghcr.io/garyellow/ntpu-linebot:dependabot-pip-line-bot-sdk-3.20.0.

[github-actions]

Your image	moby/buildkit:buildx-stable-1
Current base image	alpine:3
Refreshed base image	alpine:3
Updated base image	alpine:3.21

[github-actions]

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1

digest	sha256:9403964920cf47f1485e730dd88257e2cb810832909c58c0e6c49e7e99d7a68e
vulnerabilities
platform	linux/amd64
size	112 MB
packages	250

📦 Base Image alpine:3

also known as	3.22 3.22.1 5ebcb6dbc4df687a7e3a5d557e096b5d230417b214b219698395cbc4ea61b004 latest
digest	sha256:eafc1edb577d2e9b458664a15f23ea1c370214193226069eb22921169fc7e43f
vulnerabilities

stdlib 1.25.0 (golang) pkg:golang/stdlib@1.25.0 Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.030% EPSS Percentile 8th percentile Description The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.024% EPSS Percentile 5th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.029% EPSS Percentile 7th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range >=1.25.0 <1.25.3 Fixed version 1.25.3 EPSS Score 0.008% EPSS Percentile 1st percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range >=1.25.0 <1.25.1 Fixed version 1.25.1 EPSS Score 0.011% EPSS Percentile 1st percentile Description When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.039% EPSS Percentile 11th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.029% EPSS Percentile 7th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.039% EPSS Percentile 11th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.019% EPSS Percentile 4th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.043% EPSS Percentile 13th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.006% EPSS Percentile 0th percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

openssh 10.0_p1-r9 (apk) pkg:apk/alpine/openssh@10.0_p1-r9?os_name=alpine&os_version=3.22 Affected range <=10.0_p1-r9 Fixed version Not Fixed EPSS Score 0.004% EPSS Percentile 0th percentile Description Affected range <=10.0_p1-r9 Fixed version Not Fixed EPSS Score 0.012% EPSS Percentile 1st percentile Description Affected range <=10.0_p1-r9 Fixed version Not Fixed EPSS Score 0.013% EPSS Percentile 1st percentile Description

golang.org/x/net 0.35.0 (golang) pkg:golang/golang.org/x/net@0.35.0 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <0.38.0 Fixed version 0.38.0 CVSS Score 5.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N EPSS Score 0.023% EPSS Percentile 5th percentile Description The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). Misinterpretation of Input Affected range <0.36.0 Fixed version 0.36.0 CVSS Score 4.4 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L EPSS Score 0.018% EPSS Percentile 3rd percentile Description Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

pcre2 10.43-r1 (apk) pkg:apk/alpine/pcre2@10.43-r1?os_name=alpine&os_version=3.22 Affected range <10.46-r0 Fixed version 10.46-r0 EPSS Score 0.030% EPSS Percentile 7th percentile Description

stdlib 1.25.2 (golang) pkg:golang/stdlib@1.25.2 Affected range >=1.25.0 <1.25.3 Fixed version 1.25.3 EPSS Score 0.008% EPSS Percentile 1st percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

busybox 1.37.0-r18 (apk) pkg:apk/alpine/busybox@1.37.0-r18?os_name=alpine&os_version=3.22 Affected range <=1.37.0-r19 Fixed version Not Fixed EPSS Score 0.015% EPSS Percentile 2nd percentile Description Affected range <=1.37.0-r19 Fixed version Not Fixed EPSS Score 0.017% EPSS Percentile 3rd percentile Description

[github-actions]

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name	3.22.1
Digest	sha256:eafc1edb577d2e9b458664a15f23ea1c370214193226069eb22921169fc7e43f
Vulnerabilities
Pushed	3 months ago
Size	3.8 MB
Packages	20
OS	3.22.1

The base image is also available under the supported tag(s): 3.22, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
3 Newer image for same tag Also known as: 3.22.2 3.22 latest	Benefits: Newer image for same tag Minor OS version update Tag was pushed more recently Image has similar size Tag is latest Image introduces no new vulnerability but removes 3 Image contains equal number of packages 3 was pulled 251K times last month Image details: Size: 3.8 MB OS: 3.22.2	3 weeks ago

Change base image

Tag	Details	Pushed	Vulnerabilities
3.21 Tag is preferred tag Also known as: 3.21.5	Benefits: Image is smaller by 153 KB Minor OS version update Image contains 1 fewer package Tag is preferred tag Tag was pushed more recently Image introduces no new vulnerability but removes 3 Image details: Size: 3.6 MB OS: 3.21.5	3 weeks ago

[dependabot]

Superseded by #189.

[github-actions]

Preview Has Been Deleted!

The Preview Image has been deleted.