Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: updates regarding dependabot issues. node 18 workflow & engine update #229

Merged
merged 14 commits into from
Mar 16, 2023
Merged

feat: updates regarding dependabot issues. node 18 workflow & engine update #229

merged 14 commits into from
Mar 16, 2023

Conversation

EelcoLos
Copy link
Contributor

@EelcoLos EelcoLos commented Mar 10, 2023
edited
Loading

Changes

When I forked the branch and turned on dependabot, I got the following issues(dependabot image of forked repo):

dependabot image of forked repo

This was also mentioned in #225 I think.
closes #225 .
This PR will update packages to the latest peer dependent version, which will resolve those issues.

Demo PR

Brink-Software#20

Docs

These are the details of the dependabot warnings:
Prototype Pollution in minimist, CWE-1321
http-cache-semantics vulnerable to Regular Expression Denial of Service, CWE-1333
Prototype Pollution in JSON5 via Parse Method, CWE-1321
minimatch ReDoS vulnerability, CWE-400
Packing does not respect root-level ignore files in workspaces, CWE-200
Inefficient Regular Expression Complexity in chalk/ansi-regex, CWE-697 and CWE-1333
Exposure of Sensitive Information to an Unauthorized Actor in semantic-release, CWE-200
Regular expression denial of service in semver-regex, CWE-1333

EelcoLos and others added 3 commits March 10, 2023 16:12
@EelcoLos
deps: update via ncu --peer -u & engine to node 18
4fb1829 
this safely updates the packages which would be peer dependant.
Because of `semantic-release update` to `20.1.1`, node 18 is required

ncu: https://www.npmjs.com/package/npm-check-updates
@EelcoLos
chore: update all github workflows to node 18
16dbf19 
due to `semantic-release` requiring node 18
all node workflows need updating too
@dependabot
chore: Bump minimist from 1.2.5 to 1.2.8
3de79ab 
Bumps [minimist](https://github.com/minimistjs/minimist) from 1.2.5 to 1.2.8.
- [Release notes](https://github.com/minimistjs/minimist/releases)
- [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md)
- [Commits](minimistjs/minimist@v1.2.5...v1.2.8)

---
updated-dependencies:
- dependency-name: minimist
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@EelcoLos EelcoLos changed the title feat: updates regarding dependabot issues. node 18 workflow & engine update feat!: updates regarding dependabot issues. node 18 workflow & engine update Mar 10, 2023
@EelcoLos EelcoLos mentioned this pull request Mar 10, 2023
Closed
amannn
amannn reviewed Mar 14, 2023
View reviewed changes
Copy link
Owner

@amannn amannn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many thanks for looking into this! 👏

package.json Outdated Show resolved Hide resolved
package.json Outdated Show resolved Hide resolved
@EelcoLos
Copy link
Contributor Author

EelcoLos commented Mar 15, 2023
edited
Loading

question:
the lint-pr-title-preview-outputErrorMessage file doesn't have a yml extension. Is that intended? If not, should I add the extension, therefore enabling the action (in this PR or seperate)?

@amannn
Copy link
Owner

amannn commented Mar 15, 2023

the lint-pr-title-preview-outputErrorMessage file doesn't have a yml extension. Is that intended? If not, should I add the extension, therefore enabling the action (in this PR or seperate)?

Right, that's definitely an oversight! If you don't mind, would be great if you could enable it! You can do it directly in this PR if that's easier.

@EelcoLos EelcoLos force-pushed the package-updates-and-node-18 branch from 164d457 to 97cc4e9 Compare March 15, 2023 08:39
@EelcoLos
fix: added yml to workflow file
b12b12e
@EelcoLos
chore: update action
bad9180 
as there is no official using 'node18' yet
i've seen some composite solutions.
Pointed this out in the PR
@EelcoLos
Revert "chore: update action"
9d04f2f 
This reverts commit bad9180.
@EelcoLos
Revert "chore: update all github workflows to node 18"
4a57d36 
This reverts commit 16dbf19.
@EelcoLos
Revert "Revert "chore: update all github workflows to node 18""
7632ffc 
This reverts commit 4a57d36.
@EelcoLos
chore: run linting on node 16
a0aea99 
the build for semantic-release needs v18, the rest does not
@EelcoLos
deps: lowered semantic-release to v19 and node->16
fb13ce6
@EelcoLos
chore: remove empty line
f07091a
@EelcoLos EelcoLos changed the title feat!: updates regarding dependabot issues. node 18 workflow & engine update feat: updates regarding dependabot issues. node 18 workflow & engine update Mar 16, 2023
amannn
amannn approved these changes Mar 16, 2023
View reviewed changes
Copy link
Owner

@amannn amannn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thank you again for your help and the patience! Hopefully we can upgrade to Node.js 18 in the future when it's properly supported in GitHub Actions!

@amannn amannn merged commit e797448 into amannn:main Mar 16, 2023
@github-actions
Copy link

🎉 This PR is included in version 5.2.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@EelcoLos EelcoLos deleted the package-updates-and-node-18 branch October 31, 2023 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amannn amannn amannn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Various vulnerabilities
2 participants
@EelcoLos @amannn