Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update all non-major dependencies #669

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update all non-major dependencies #669

wants to merge 1 commit into from
+5,098 −389

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Jan 1, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change Age Adoption Passing Confidence
actions/checkout action minor v4.1.7 -> v4.2.2 age adoption passing confidence
actions/dependency-review-action action minor v4.3.3 -> v4.5.0 age adoption passing confidence
actions/setup-node action minor v4.0.3 -> v4.2.0 age adoption passing confidence
github/codeql-action action minor v3.25.11 -> v3.28.6 age adoption passing confidence
nise devDependencies patch 5.1.4 -> 5.1.9 age adoption passing confidence
ossf/scorecard-action action minor v2.3.3 -> v2.4.0 age adoption passing confidence
pack-n-play devDependencies minor 2.0.0 -> 2.1.0 age adoption passing confidence
sinon (source) devDependencies minor 15.0.1 -> 15.2.0 age adoption passing confidence
step-security/harden-runner action minor v2.8.1 -> v2.10.4 age adoption passing confidence

Release Notes

actions/checkout (actions/checkout)

v4.2.2

Compare Source

v4.2.1

Compare Source

v4.2.0

Compare Source

actions/dependency-review-action (actions/dependency-review-action)

v4.5.0

Compare Source

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4...v4.5.0

v4.4.0

Compare Source

What's Changed

Full Changelog: actions/dependency-review-action@v4.3.5...v4.4.0

v4.3.5

Compare Source

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.3.4...v4.3.5

v4.3.4

Compare Source

What's Changed

Full Changelog: actions/dependency-review-action@v4.3.3...v4.3.4

actions/setup-node (actions/setup-node)

v4.2.0

Compare Source

v4.1.0

Compare Source

v4.0.4

Compare Source

github/codeql-action (github/codeql-action)

v3.28.6

Compare Source

v3.28.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.5 - 24 Jan 2025
  • Update default CodeQL bundle version to 2.20.3. #​2717

See the full CHANGELOG.md for more information.

v3.28.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.4 - 23 Jan 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.28.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.3 - 22 Jan 2025
  • Update default CodeQL bundle version to 2.20.2. #​2707
  • Fix an issue downloading the CodeQL Bundle from a GitHub Enterprise Server instance which occurred when the CodeQL Bundle had been synced to the instance using the CodeQL Action sync tool and the Actions runner did not have Zstandard installed. #​2710
  • Uploading debug artifacts for CodeQL analysis is temporarily disabled. #​2712

See the full CHANGELOG.md for more information.

v3.28.2

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.2 - 21 Jan 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.28.1

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.1 - 10 Jan 2025
  • CodeQL Action v2 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v3. For more information, see this changelog post. #​2677
  • Update default CodeQL bundle version to 2.20.1. #​2678

See the full CHANGELOG.md for more information.

v3.28.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.28.0 - 20 Dec 2024
  • Bump the minimum CodeQL bundle version to 2.15.5. #​2655
  • Don't fail in the unusual case that a file is on the search path. #​2660.

See the full CHANGELOG.md for more information.

v3.27.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.9 - 12 Dec 2024

No user facing changes.

See the full CHANGELOG.md for more information.

v3.27.8

Compare Source

v3.27.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.7 - 10 Dec 2024
  • We are rolling out a change in December 2024 that will extract the CodeQL bundle directly to the toolcache to improve performance. #​2631
  • Update default CodeQL bundle version to 2.20.0. #​2636

See the full CHANGELOG.md for more information.

v3.27.6

Compare Source

v3.27.5

Compare Source

v3.27.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.4 - 14 Nov 2024

No user facing changes.

See the full CHANGELOG.md for more information.

v3.27.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.3 - 12 Nov 2024

No user facing changes.

See the full CHANGELOG.md for more information.

v3.27.2

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.2 - 12 Nov 2024
  • Fixed an issue where setting up the CodeQL tools would sometimes fail with the message "Invalid value 'undefined' for header 'authorization'". #​2590

See the full CHANGELOG.md for more information.

v3.27.1

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.1 - 08 Nov 2024
  • The CodeQL Action now downloads bundles compressed using Zstandard on GitHub Enterprise Server when using Linux or macOS runners. This speeds up the installation of the CodeQL tools. This feature is already available to GitHub.com users. #​2573
  • Update default CodeQL bundle version to 2.19.3. #​2576

See the full CHANGELOG.md for more information.

v3.27.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.0 - 22 Oct 2024
  • Bump the minimum CodeQL bundle version to 2.14.6. #​2549
  • Fix an issue where the upload-sarif Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by the upload-sarif Action. #​2557
  • Update default CodeQL bundle version to 2.19.2. #​2552

See the full CHANGELOG.md for more information.

v3.26.13

Compare Source

v3.26.12

Compare Source

v3.26.11

Compare Source

v3.26.10

Compare Source

v3.26.9

Compare Source

v3.26.8

Compare Source

v3.26.7

Compare Source

v3.26.6

Compare Source

v3.26.5

Compare Source

v3.26.4

Compare Source

v3.26.3

Compare Source

v3.26.2

Compare Source

v3.26.1

Compare Source

v3.26.0

Compare Source

v3.25.15

Compare Source

v3.25.14

Compare Source

v3.25.13

Compare Source

v3.25.12

Compare Source

sinonjs/nise (nise)

v5.1.9

Compare Source

v5.1.8

Compare Source

v5.1.7

Compare Source

v5.1.6

Compare Source

v5.1.5

Compare Source

ossf/scorecard-action (ossf/scorecard-action)

v2.4.0

Compare Source

What's Changed

This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the v5.0.0 release notes. Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation.

Documentation

New Contributors

Full Changelog: ossf/scorecard-action@v2.3.3...v2.4.0

googleapis/pack-n-play (pack-n-play)

v2.1.0

Compare Source

Features
  • Allow synthetic default imports when testing typescript for esm (#​203) (ac33320)
Bug Fixes

v2.0.3

Compare Source

Bug Fixes

v2.0.1

Compare Source

Bug Fixes
sinonjs/sinon (sinon)

v15.2.0

Compare Source

  • 66b0081e
    Use fake-timers v10.1.0 re-released as v10.3.0 (Carl-Erik Kopseng)

    Version 10.2.0 of fake-timers had an unexpected breaking
    change. We re-released 10.1.0 as 10.3.0 to force users
    into jumping over the deprecated version.

    v10.2.0 was re-released as v11.0.0 and will be part of
    the next Sinon major

  • a79ccaeb
    Support callable instances (#​2517) (bojavou)

    • Support callable instances

    • Clean prettier lint

    Co-authored-by: - <->

  • d220c995
    fix: bundling compatibility with webpack@5 (#​2519) (Avi Vahl)
    • fix: bundling compatibility with webpack@5

    when using webpack v5 to bundle code that calls require('sinon') (cjs) , it would have defaulted to "exports->require" and fail with multiple node-api requirements (util, timers, etc.)

    this patch ensures that anyone who bundles sinon for browser gets the (browser-compatible) esm version.

    tested on both webpack v5 and v4. should be noted that v4 worked even without this patch, as it automatically injected polyfills. v5 no longer does so. with this PR, people using webpack@4 to bundle sinon at least see size improvement, as the polyfills are no longer required.

    • fix: revert change for package.json -> "browser"

    browserify doesn't seem to like esm. leave that entry point alone, and ensure "exports" -> "browser" (which webpack@5 uses) is esm.

Released by Carl-Erik Kopseng on 2023-06-20.

v15.1.2

Compare Source

  • 02b73aed
    Update lock file after removing node_modules ... (Carl-Erik Kopseng)

Released by Carl-Erik Kopseng on 2023-06-12.

v15.1.1

Compare Source

  • 194fc2ef
    Change fake-timers version to specifically target the one containing the 'jump' feature (Carl-Erik Kopseng)

    Instead of the later (breaking) version. See #​470

  • 05f05ac3
    docs: Remove threw(obj) from docs (#​2513) (Morgan Roderick)

    Since the introduction of threw in

    0feec9f, no one have reported that

    threw(obj) doesn't work as the documentation states.

    const sinon = require("sinon");

const o = { pie: "apple" };

const f = sinon.fake.throws(o);

f();

// this is supposed to return true

f.threw(o);

// => false

    Since it has been 12+ years without an error report, it's safe to assume

    that no one uses the threw method in this way. Let's remove it from

    the documentation.

Released by Carl-Erik Kopseng on 2023-06-12.

v15.1.0

Compare Source

  • 79e719f2
    Ensure we use a fake-timers version with clock.jump (Carl-Erik Kopseng)
  • b2a4df5a
    Add docs for clock.jump method (#​2512) (Jason O'Neill)
  • f096abff
    fix (#​2514): only force new or inherited descriptors to be configurable (#​2515) (Carl-Erik Kopseng)

Released by Carl-Erik Kopseng on 2023-05-18.

v15.0.4

Compare Source

  • e9042c4f
    Handling non-configurable object descriptors on the prototype (#​2508) (Carl-Erik Kopseng)

    This should essentially make decorated methods stubbable again (see #​2491)

  • 430c9a60
    Remove uses of var (#​2506) (Carl-Erik Kopseng)

    Replace var with const where possible in /lib and /test.

    Modified the let codemod to be a codemod.

    Took about half an hour with --watch running

Released by Carl-Erik Kopseng on 2023-04-20.

v15.0.3

Compare Source

  • b775f1b4
    Avoid tampering with globals and other modules' exports in tests (#​2504) (Carl-Erik Kopseng)
  • 477064b6
    fix: make it possible to call through to underlying stub in stub instance (#​2503) (Carl-Erik Kopseng)

    closes #​2501

  • 6e19746e
    Remove dead Travis and Gitter references (Carl-Erik Kopseng)

Released by Carl-Erik Kopseng on 2023-03-26.

v15.0.2

Compare Source

  • 19bd99f3
    Use no-op for every function when restoring instances (#​2499) (Carl-Erik Kopseng)
  • 8663ffa0
    Upgrade deps (#​2498) (Carl-Erik Kopseng)

    Browserify, supports-color, husky had to be held back.

  • e01275bb
    Un-pin @​sinonjs/fake-timers (#​2495) (Jordan Hawker)

    The commit upgrading from v9 to v10 appears to have accidentally dropped the caret from the version range

  • 6cbde9b0
    fix throws().callsFake() precedence (#​2497) (Eduardo Diaz)

    This makes sure an unconditional callsFake() invoked on the same stub that was previously setup to throw will overwrite the previous behavior. This aligns it with the other behaviors.

  • 45be60f3
    Replace probot/stale with official stale action (Morgan Roderick)

Released by Carl-Erik Kopseng on 2023-03-12.

step-security/harden-runner (step-security/harden-runner)

v2.10.4

Compare Source

What's Changed

Fixed a potential Harden-Runner post step failure that could occur when printing agent service logs. The fix gracefully handles failures without failing the post step.

Full Changelog: step-security/harden-runner@v2...v2.10.4

v2.10.3

Compare Source

What's Changed

Fixed an issue where DNS requests using uppercase characters (e.g., EXAMPLE.com) were blocked even when the domain was present in the allowed list. This update standardizes domain names to lowercase for consistent comparison.

Full Changelog: step-security/harden-runner@v2...v2.10.3

v2.10.2

Compare Source

What's Changed

  1. Fixes low-severity command injection weaknesses
    The advisory is here: GHSA-g85v-wf27-67xc

  2. Bug fix to improve detection of whether Harden-Runner is running in a container

Full Changelog: step-security/harden-runner@v2...v2.10.2

v2.10.1

Compare Source

What's Changed

Release v2.10.1 by @​varunsh-coder in https://github.com/step-security/harden-runner/pull/463
Bug fix: Resolves an issue where DNS resolution of .local domains was failing when using a Kind cluster in a GitHub Actions workflow.

Full Changelog: step-security/harden-runner@v2...v2.10.1

v2.10.0

Compare Source

What's Changed

Release v2.10.0 by @​h0x0er and @​varunsh-coder in https://github.com/step-security/harden-runner/pull/455

ARM Support: Harden-Runner Enterprise tier now supports GitHub-hosted ARM runners. This includes all the features that apply to previously supported GitHub-hosted x64 Linux runners.

Full Changelog: step-security/harden-runner@v2...v2.10.0

v2.9.1

Compare Source

What's Changed

Release v2.9.1 by @​h0x0er and @​varunsh-coder in #​440
This release includes two changes:

  1. Updated markdown displayed in the job summary by the Harden-Runner Action.
  2. Fixed a bug affecting Enterprise Tier customers where the agent attempted to upload telemetry for jobs with disable-telemetry set to true. No telemetry was uploaded as the endpoint was not in the allowed list.

Full Changelog: step-security/harden-runner@v2...v2.9.1

v2.9.0

Compare Source

What's Changed

Release v2.9.0 by @​h0x0er and @​varunsh-coder in https://github.com/step-security/harden-runner/pull/435
This release includes:

  • Enterprise Tier - Telemetry Upload Enhancement:
    For the enterprise tier, this change helps overcome size constraints, allowing for more reliable telemetry uploads from the Harden-Runner agent to the StepSecurity backend API. No configuration change is needed to enable this.
  • Harden-Runner Agent Authentication:
    The Harden-Runner agent now uses a per-job key to authenticate to the StepSecurity backend API to submit telemetry. This change prevents the submission of telemetry data anonymously for a given job, improving the integrity of the data collection process. No configuration change is needed to enable this.
  • README Update:
    A Table of Contents has been added to the README file to improve navigation. This makes it easier for users to find the information they need quickly.
  • Dependency Update:
    Updated the braces npm package dependency to a non-vulnerable version. The vulnerability in braces did not affect the Harden Runner Action

Full Changelog: step-security/harden-runner@v2...v2.9.0

Configuration

📅 Schedule: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from e78d08e to 1c64869 Compare January 10, 2025 20:46
@chujchen
Copy link

Test for Nodejs10 and Nodejs12 are failling because optional operator "?." is used in @sinonjs/fake-timers/src/fake-timers-src which is only supported after NodeJs 13.

@renovate-bot renovate-bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from ab5d6fa to 939aaf8 Compare January 24, 2025 18:47
@renovate-bot renovate-bot force-pushed the renovate/all-minor-patch branch from 939aaf8 to 5d6956c Compare January 27, 2025 06:42
@renovate-bot renovate-bot force-pushed the renovate/all-minor-patch branch from 5d6956c to f12d603 Compare January 27, 2025 23:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chujchen chujchen chujchen approved these changes

Assignees

@chujchen chujchen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@renovate-bot @chujchen