Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump artifact package version to v0.5.2 #845

Merged
merged 3 commits into from
Jun 16, 2021
Merged

Bump artifact package version to v0.5.2 #845

merged 3 commits into from
Jun 16, 2021

Conversation

brcrista
Copy link
Contributor

Last version: #761

Changes since last version:

@brcrista brcrista requested review from konradpabjan, thboop and a team June 14, 2021 13:51
konradpabjan
konradpabjan approved these changes Jun 14, 2021
View reviewed changes
Copy link
Contributor

@konradpabjan konradpabjan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 LGTM

The audit workflow is failing but we can put out a separate PR to bump up the lerna package. It was recently re-enabled so we should make sure to keep that green as soon as possible

@brcrista
Copy link
Contributor Author

@konradpabjan sounds like we should merge that first before releasing a new version of any packages. I'll give that a try.

@brcrista
Copy link
Contributor Author

It looks like there is no existing version of lerna with a fix for this. There's an open issue: lerna/lerna#2925

I see the vulnerability is fixed in new versions of trim-newlines and meow but it will need to bubble up a few levels to get to lerna:

───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ trim-newlines                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.1 <4.0.0 || >=4.0.1                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lerna [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lerna > @lerna/publish > @lerna/version >                    │
│               │ @lerna/conventional-commits > conventional-changelog-core >  │
│               │ get-pkg-repo > meow > trim-newlines                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1753                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ trim-newlines                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.1 <4.0.0 || >=4.0.1                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lerna [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lerna > @lerna/version > @lerna/conventional-commits >       │
│               │ conventional-changelog-core > get-pkg-repo > meow >          │
│               │ trim-newlines                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1753                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

We could look into submitting fixes, but lerna is only a dev dependency for us. The vulnerability is a ReDoS, so that doesn't apply to us unless we start DoS'ing our own build process.

@thboop would you be ok with setting up an allow list for https://github.com/actions/toolkit/blob/main/.github/workflows/audit.yml to work around this?

@thboop
Copy link
Collaborator

thboop commented Jun 14, 2021

@thboop would you be ok with setting up an allow list for https://github.com/actions/toolkit/blob/main/.github/workflows/audit.yml to work around this?

Go for it 👍

@brcrista brcrista mentioned this pull request Jun 14, 2021
Merged
@brcrista brcrista merged commit a31b7ec into main Jun 16, 2021
@brcrista brcrista deleted the brcrista/artifact-v0.5.2 branch June 16, 2021 13:37
This was referenced Jun 16, 2021
Merged
Merged
at-wat pushed a commit to at-wat/actions-toolkit that referenced this pull request Aug 31, 2023
@brcrista
Bump artifact package version to v0.5.2 (actions#845)
e8a2ae1 
* bump version in package*.json

* changelog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@konradpabjan konradpabjan konradpabjan approved these changes

@thboop thboop Awaiting requested review from thboop

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@brcrista @thboop @konradpabjan