-
-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: updates regarding dependabot issues. node 18 workflow & engine update #229
feat: updates regarding dependabot issues. node 18 workflow & engine update #229
Conversation
this safely updates the packages which would be peer dependant. Because of `semantic-release update` to `20.1.1`, node 18 is required ncu: https://www.npmjs.com/package/npm-check-updates
due to `semantic-release` requiring node 18 all node workflows need updating too
Bumps [minimist](https://github.com/minimistjs/minimist) from 1.2.5 to 1.2.8. - [Release notes](https://github.com/minimistjs/minimist/releases) - [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md) - [Commits](minimistjs/minimist@v1.2.5...v1.2.8) --- updated-dependencies: - dependency-name: minimist dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
…dates-and-node-18
Updated the lockfile using yarn-audit-fix --flow=patch --registry=https://registry.yarnpkg.com
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many thanks for looking into this! 👏
question: |
Right, that's definitely an oversight! If you don't mind, would be great if you could enable it! You can do it directly in this PR if that's easier. |
164d457
to
97cc4e9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thank you again for your help and the patience! Hopefully we can upgrade to Node.js 18 in the future when it's properly supported in GitHub Actions!
🎉 This PR is included in version 5.2.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Changes
When I forked the branch and turned on dependabot, I got the following issues(dependabot image of forked repo):
This was also mentioned in #225 I think.
closes #225 .
This PR will update packages to the latest peer dependent version, which will resolve those issues.
Demo PR
Brink-Software#20
Docs
These are the details of the dependabot warnings:
Prototype Pollution in minimist, CWE-1321
http-cache-semantics vulnerable to Regular Expression Denial of Service, CWE-1333
Prototype Pollution in JSON5 via Parse Method, CWE-1321
minimatch ReDoS vulnerability, CWE-400
Packing does not respect root-level ignore files in workspaces, CWE-200
Inefficient Regular Expression Complexity in chalk/ansi-regex, CWE-697 and CWE-1333
Exposure of Sensitive Information to an Unauthorized Actor in semantic-release, CWE-200
Regular expression denial of service in semver-regex, CWE-1333