-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolve High Security Alerts by upgrading Dependencies #1132
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HarithaVattikuti
changed the title
upgrade path-to-regexp and body-parser dependencies to resolve dependabot high security alerts
Resolve High Security Alerts by upgrading Dependencies
Sep 17, 2024
gowridurgad
approved these changes
Sep 18, 2024
priyagupta108
approved these changes
Sep 19, 2024
HarithaVattikuti
approved these changes
Sep 24, 2024
CrispyBaguette
pushed a commit
to CrispyBaguette/wasm-palette-converter
that referenced
this pull request
Nov 8, 2024
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-node](https://github.com/actions/setup-node) | action | major | `v2.5.2` -> `v4.1.0` | --- ### Release Notes <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v4.1.0`](https://github.com/actions/setup-node/releases/tag/v4.1.0) [Compare Source](actions/setup-node@v4.0.4...v4.1.0) #### What's Changed - Resolve High Security Alerts by upgrading Dependencies by [@​aparnajyothi-y](https://github.com/aparnajyothi-y) in actions/setup-node#1132 - Upgrade IA Publish by [@​Jcambass](https://github.com/Jcambass) in actions/setup-node#1134 - Revise `isGhes` logic by [@​jww3](https://github.com/jww3) in actions/setup-node#1148 - Add architecture to cache key by [@​pengx17](https://github.com/pengx17) in actions/setup-node#843 This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts. Note: This change may break previous cache keys as they will no longer be compatible with the new format. #### New Contributors - [@​jww3](https://github.com/jww3) made their first contribution in actions/setup-node#1148 - [@​pengx17](https://github.com/pengx17) made their first contribution in actions/setup-node#843 **Full Changelog**: actions/setup-node@v4...v4.1.0 ### [`v4.0.4`](https://github.com/actions/setup-node/releases/tag/v4.0.4) [Compare Source](actions/setup-node@v4.0.3...v4.0.4) #### What's Changed - Add workflow file for publishing releases to immutable action package by [@​Jcambass](https://github.com/Jcambass) in actions/setup-node#1125 - Enhance Windows ARM64 Setup and Update micromatch Dependency by [@​priyagupta108](https://github.com/priyagupta108) in actions/setup-node#1126 ##### Documentation changes: - Documentation update in the README file by [@​suyashgaonkar](https://github.com/suyashgaonkar) in actions/setup-node#1106 - Correct invalid 'lts' version string reference by [@​fulldecent](https://github.com/fulldecent) in actions/setup-node#1124 #### New Contributors - [@​suyashgaonkar](https://github.com/suyashgaonkar) made their first contribution in actions/setup-node#1106 - [@​priyagupta108](https://github.com/priyagupta108) made their first contribution in actions/setup-node#1126 - [@​Jcambass](https://github.com/Jcambass) made their first contribution in actions/setup-node#1125 - [@​fulldecent](https://github.com/fulldecent) made their first contribution in actions/setup-node#1124 **Full Changelog**: actions/setup-node@v4...v4.0.4 ### [`v4.0.3`](https://github.com/actions/setup-node/releases/tag/v4.0.3) [Compare Source](actions/setup-node@v4.0.2...v4.0.3) #### What's Changed ##### Bug fixes: - Fix macos latest check failures by [@​HarithaVattikuti](https://github.com/HarithaVattikuti) in actions/setup-node#1041 ##### Documentation changes: - Documentation update to update default Node version to 20 by [@​bengreeley](https://github.com/bengreeley) in actions/setup-node#949 ##### Dependency updates: - Bump undici from 5.26.5 to 5.28.3 by [@​dependabot](https://github.com/dependabot) in actions/setup-node#965 - Bump braces from 3.0.2 to 3.0.3 and other dependency updates by [@​dependabot](https://github.com/dependabot) in actions/setup-node#1087 #### New Contributors - [@​bengreeley](https://github.com/bengreeley) made their first contribution in actions/setup-node#949 - [@​HarithaVattikuti](https://github.com/HarithaVattikuti) made their first contribution in actions/setup-node#1041 **Full Changelog**: actions/setup-node@v4...v4.0.3 ### [`v4.0.2`](https://github.com/actions/setup-node/releases/tag/v4.0.2) [Compare Source](actions/setup-node@v4.0.1...v4.0.2) #### What's Changed - Add support for `volta.extends` by [@​ThisIsManta](https://github.com/ThisIsManta) in actions/setup-node#921 - Add support for arm64 Windows by [@​dmitry-shibanov](https://github.com/dmitry-shibanov) in actions/setup-node#927 #### New Contributors - [@​ThisIsManta](https://github.com/ThisIsManta) made their first contribution in actions/setup-node#921 **Full Changelog**: actions/setup-node@v4.0.1...v4.0.2 ### [`v4.0.1`](https://github.com/actions/setup-node/releases/tag/v4.0.1) [Compare Source](actions/setup-node@v4.0.0...v4.0.1) #### What's Changed - Ignore engines in Yarn 1 e2e-cache tests by [@​trivikr](https://github.com/trivikr) in actions/setup-node#882 - Update setup-node references in the README.md file to setup-node@v4 by [@​jwetzell](https://github.com/jwetzell) in actions/setup-node#884 - Update reusable workflows to use Node.js v20 by [@​MaksimZhukov](https://github.com/MaksimZhukov) in actions/setup-node#889 - Add fix for cache to resolve slow post action step by [@​aparnajyothi-y](https://github.com/aparnajyothi-y) in actions/setup-node#917 - Fix README.md by [@​takayamaki](https://github.com/takayamaki) in actions/setup-node#898 - Add `package.json` to `node-version-file` list of examples. by [@​TWiStErRob](https://github.com/TWiStErRob) in actions/setup-node#879 - Fix node-version-file interprets entire package.json as a version by [@​NullVoxPopuli](https://github.com/NullVoxPopuli) in actions/setup-node#865 #### New Contributors - [@​trivikr](https://github.com/trivikr) made their first contribution in actions/setup-node#882 - [@​jwetzell](https://github.com/jwetzell) made their first contribution in actions/setup-node#884 - [@​aparnajyothi-y](https://github.com/aparnajyothi-y) made their first contribution in actions/setup-node#917 - [@​takayamaki](https://github.com/takayamaki) made their first contribution in actions/setup-node#898 - [@​TWiStErRob](https://github.com/TWiStErRob) made their first contribution in actions/setup-node#879 - [@​NullVoxPopuli](https://github.com/NullVoxPopuli) made their first contribution in actions/setup-node#865 **Full Changelog**: actions/setup-node@v4...v4.0.1 ### [`v4.0.0`](https://github.com/actions/setup-node/releases/tag/v4.0.0) [Compare Source](actions/setup-node@v3.8.2...v4.0.0) #### What's Changed In scope of this release we changed version of node runtime for action from node16 to node20 and updated dependencies in actions/setup-node#866 Besides, release contains such changes as: - Upgrade actions/checkout to v4 by [@​gmembre-zenika](https://github.com/gmembre-zenika) in actions/setup-node#868 - Update actions/checkout for documentation and yaml by [@​dmitry-shibanov](https://github.com/dmitry-shibanov) in actions/setup-node#876 #### New Contributors - [@​gmembre-zenika](https://github.com/gmembre-zenika) made their first contribution in actions/setup-node#868 **Full Changelog**: actions/setup-node@v3...v4.0.0 ### [`v3.8.2`](https://github.com/actions/setup-node/releases/tag/v3.8.2) [Compare Source](actions/setup-node@v3.8.1...v3.8.2) #### What's Changed - Update semver by [@​dmitry-shibanov](https://github.com/dmitry-shibanov) in actions/setup-node#861 - Update temp directory creation by [@​nikolai-laevskii](https://github.com/nikolai-laevskii) in actions/setup-node#859 - Bump [@​babel/traverse](https://github.com/babel/traverse) from 7.15.4 to 7.23.2 by [@​dependabot](https://github.com/dependabot) in actions/setup-node#870 - Add notice about binaries not being updated yet by [@​nikolai-laevskii](https://github.com/nikolai-laevskii) in actions/setup-node#872 - Update toolkit cache and core by [@​dmitry-shibanov](https://github.com/dmitry-shibanov) and [@​seongwon-privatenote](https://github.com/seongwon-privatenote) in actions/setup-node#875 **Full Changelog**: actions/setup-node@v3...v3.8.2 ### [`v3.8.1`](https://github.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](actions/setup-node@v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@​dmitry-shibanov](https://github.com/dmitry-shibanov) in actions/setup-node#831. It is filtered and checked in the toolkit/cache library. **Full Changelog**: actions/setup-node@v3...v3.8.1 ### [`v3.8.0`](https://github.com/actions/setup-node/releases/tag/v3.8.0) [Compare Source](actions/setup-node@v3.7.0...v3.8.0) #### What's Changed ##### Bug fixes: - Add check for existing paths by [@​dmitry-shibanov](https://github.com/dmitry-shibanov) in actions/setup-node#803 - Resolve SymbolicLink by [@​dmitry-shibanov](https://github.com/dmitry-shibanov) in actions/setup-node#809 - Change passing logic for cache input by [@​dmitry-shibanov](https://github.com/dmitry-shibanov) in actions/setup-node#816 - Fix armv7 cache issue by [@​louislam](https://github.com/louislam) in actions/setup-node#794 - Update check-dist workflow name by [@​sinchang](https://github.com/sinchang) in actions/setup-node#710 ##### Feature implementations: - feat: handling the case where "node" is used for tool-versions file. by [@​xytis](https://github.com/xytis) in actions/setup-node#812 ##### Documentation changes: - Refer to semver package name in README.md by [@​olleolleolle](https://github.com/olleolleolle) in actions/setup-node#808 ##### Update dependencies: - Update toolkit cache to fix zstd by [@​dmitry-shibanov](https://github.com/dmitry-shibanov) in actions/setup-node#804 - Bump tough-cookie and [@​azure/ms-rest-js](https://github.com/azure/ms-rest-js) by [@​dependabot](https://github.com/dependabot) in actions/setup-node#802 - Bump semver from 6.1.2 to 6.3.1 by [@​dependabot](https://github.com/dependabot) in actions/setup-node#807 - Bump word-wrap from 1.2.3 to 1.2.4 by [@​dependabot](https://github.com/dependabot) in actions/setup-node#815 #### New Contributors - [@​olleolleolle](https://github.com/olleolleolle) made their first contribution in actions/setup-node#808 - [@​louislam](https://github.com/louislam) made their first contribution in actions/setup-node#794 - [@​sinchang](https://github.com/sinchang) made their first contribution in actions/setup-node#710 - [@​xytis](https://github.com/xytis) made their first contribution in actions/setup-node#812 **Full Changelog**: actions/setup-node@v3...v3.8.0 ### [`v3.7.0`](https://github.com/actions/setup-node/releases/tag/v3.7.0) [Compare Source](actions/setup-node@v3.6.0...v3.7.0) #### What's Changed In scope of this release we added a logic to save an additional cache path for yarn 3 ([related pull request](actions/setup-node#744) and [feature request](actions/setup-node#325)). Moreover, we added functionality to use all the sub directories derived from `cache-dependency-path` input and add detect all dependencies directories to cache (related [pull request](actions/setup-node#735) and [feature request](actions/setup-node#488)). ##### Besides, we made such changes as: - Replace workflow badge with new badge by [@​jongwooo](https://github.com/jongwooo) in actions/setup-node#653 - Fix a minor typo by [@​phanan](https://github.com/phanan) in actions/setup-node#662 - docs: fix typo in advanced-usage.md by [@​remarkablemark](https://github.com/remarkablemark) in actions/setup-node#697 - bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by [@​domdomegg](https://github.com/domdomegg) in actions/setup-node#718 - Update to node 18.x by [@​feelepxyz](https://github.com/feelepxyz) in actions/setup-node#751 - Remove implicit dependencies by [@​nikolai-laevskii](https://github.com/nikolai-laevskii) in actions/setup-node#758 - Fix description about ensuring workflow access to private package by [@​x86chi](https://github.com/x86chi) in actions/setup-node#704 #### New Contributors - [@​jongwooo](https://github.com/jongwooo) made their first contribution in actions/setup-node#653 - [@​phanan](https://github.com/phanan) made their first contribution in actions/setup-node#662 - [@​remarkablemark](https://github.com/remarkablemark) made their first contribution in actions/setup-node#697 - [@​domdomegg](https://github.com/domdomegg) made their first contribution in actions/setup-node#718 - [@​feelepxyz](https://github.com/feelepxyz) made their first contribution in actions/setup-node#751 - [@​nikolai-laevskii](https://github.com/nikolai-laevskii) made their first contribution in actions/setup-node#758 - [@​x86chi](https://github.com/x86chi) made their first contribution in actions/setup-node#704 **Full Changelog**: actions/setup-node@v3...v3.7.0 ### [`v3.6.0`](https://github.com/actions/setup-node/releases/tag/v3.6.0): Add Support for Nightly, Canary and RC builds for Node.js [Compare Source](actions/setup-node@v3.5.1...v3.6.0) In scope of this release we added support to download nightly, rc (actions/setup-node#611) and canary (actions/setup-node#619) Node.js distributions. ##### For nightly versions: ```yaml jobs: build: runs-on: ubuntu-latest name: Node sample steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: node-version: '16-nightly' - run: npm ci - run: npm test ``` ##### For canary versions: ```yaml jobs: build: runs-on: ubuntu-latest name: Node sample steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: node-version: '16-v8-canary’ - run: npm ci - run: npm test ``` ##### For rc versions: ```yaml jobs: build: runs-on: ubuntu-latest name: Node sample steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: node-version: '16.0.0-rc.1’ - run: npm ci - run: npm test ``` Note: For more examples please refer to [documentation](https://github.com/actions/setup-node#advanced-usage). Besides, we added the following changes as: - Updated minimatch: actions/setup-node#608 - Fixed extra newline character in version output when reading from a file: actions/setup-node#625 - Passed the token input through on GHES: actions/setup-node#595 - Fixed issue with scoped registries are duplicated in npmrc: actions/setup-node#637 ### [`v3.5.1`](https://github.com/actions/setup-node/releases/tag/v3.5.1): Update @​actions/core and Print Node, Npm, Yarn versions [Compare Source](actions/setup-node@v3.5.0...v3.5.1) In scope of this release we updated [actions/core to 1.10.0](actions/setup-node#587). Moreover, we added logic [to print Nodejs, Npm, Yarn versions](actions/setup-node#368) after installation. ### [`v3.5.0`](https://github.com/actions/setup-node/releases/tag/v3.5.0): Add support for engines.node and Volta [Compare Source](actions/setup-node@v3.4.1...v3.5.0) In scope of this release we add support for engines.node. The action will be able to grab the version form package.json#engines.node. actions/setup-node#485. Moreover, we [added support for Volta](actions/setup-node#532) Besides, we updated [@​actions/core to 1.9.1](actions/setup-node#574) and [@​actions/cache to 3.0.4](actions/setup-node#573) ### [`v3.4.1`](https://github.com/actions/setup-node/releases/tag/v3.4.1): Fix pnpm output and node-version output issues [Compare Source](actions/setup-node@v3.4.0...v3.4.1) In scope of this release we fixed bugs related to the pnpm 7.5.1 output issue from `pnpm store path` actions/setup-node#545. Moreover we fixed the issue with falling on node-version output actions/setup-node#540. ### [`v3.4.0`](https://github.com/actions/setup-node/releases/tag/v3.4.0): Add support for asdf format and update actions/cache version to 3.0.0 [Compare Source](actions/setup-node@v3.3.0...v3.4.0) In scope of this release we updated `actions/cache` package as the new version contains fixes for [caching error handling](actions/setup-node#526). Moreover, we added support for asdf format as Node.js version file actions/setup-node#373. Besides, we introduced new output [node-version](actions/setup-node#534) and added `npm-shrinkwrap.json` to dependency file patterns: actions/setup-node#439 ### [`v3.3.0`](https://github.com/actions/setup-node/releases/tag/v3.3.0): Add support for lts/-n aliases [Compare Source](actions/setup-node@v3.2.0...v3.3.0) In scope of this release we added support for `lts/-n` aliases, improve logic for `current`, `latest` and `node` aliases to handle them from `toolcache`, update `ncc` package. ##### Support of lts/-n aliases - Related pull request: actions/setup-node#481 - Related issue: actions/setup-node#26 ```yaml steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: node-version: lts/-1 - run: npm ci - run: npm test ``` ##### Minor improvements - Update zeit/ncc to vercel/ncc: actions/setup-node#476 - Get latest version from cache if exists: actions/setup-node#496 ### [`v3.2.0`](https://github.com/actions/setup-node/releases/tag/v3.2.0): Add current, node, latest aliases [Compare Source](actions/setup-node@v3.1.1...v3.2.0) In scope of this release we added new aliases to install the latest Node.js version. actions/setup-node#483 ```yml steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: node-version: current - run: npm ci - run: npm test ``` ### [`v3.1.1`](https://github.com/actions/setup-node/releases/tag/v3.1.1): Update actions/cache version to 2.0.2 [Compare Source](actions/setup-node@v3.1.0...v3.1.1) In scope of this release we updated `actions/cache` package as the new version contains fixes related to GHES 3.5 (actions/setup-node#460) ### [`v3.1.0`](https://github.com/actions/setup-node/releases/tag/v3.1.0): Add caching support on GHES 3.5 [Compare Source](actions/setup-node@v3.0.0...v3.1.0) In scope of this release we added [support for caching from GHES 3.5](actions/setup-node#452) and fixed download issue for files > 2GB during restore. Besides, we updated `actions/cache` dependency to 2.0.0 version. ### [`v3.0.0`](https://github.com/actions/setup-node/releases/tag/v3.0.0) [Compare Source](actions/setup-node@v2.5.2...v3.0.0) In scope of this release we changed version of the runtime Node.js for the setup-node action and updated package-lock.json file to v2. ##### Breaking Changes - With the update to Node 16 in actions/setup-node#414, all scripts will now be run with Node 16 rather than Node 12. - We removed deprecated `version` input (actions/setup-node#424). Please use `node-version` input instead. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44LjAiLCJ1cGRhdGVkSW5WZXIiOiIzOS44LjAiLCJ0YXJnZXRCcmFuY2giOiJtYXN0ZXIiLCJsYWJlbHMiOltdfQ==--> Reviewed-on: https://gitea.bruyant.xyz/alexandre/PaletteSwitcher/pulls/56 Co-authored-by: Renovate <[email protected]> Co-committed-by: Renovate <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This PR will fix the path-to-regexp outputs backtracking regular expressions from the below dependabot high security alerts.
Related issue:
#32
#33
#34
#35
#36
Check list: