-
-
Notifications
You must be signed in to change notification settings - Fork 230
feat: add semantic-release automation for monorepo #1203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
- Add semantic-release configuration for all packages - Support both stable (main) and RC (rc) release channels - Automatic package detection and dependency resolution - GitHub Actions workflow for automated releases - pub.dev publishing with proper version management - Comprehensive documentation in RELEASE.md - Integration with existing melos workspace BREAKING CHANGE: Introduces automated release process
⛔ Snyk checks have failed. 4 issues have been found so far.
⛔ code/snyk check is complete. 4 issues have been found. (View Details) 💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
||
// Update pubspec.yaml | ||
if (fs.existsSync(pubspecPath)) { | ||
let pubspecContent = fs.readFileSync(pubspecPath, 'utf8'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Path Traversal
Unsanitized input from a command line argument
flows into fs.readFileSync
, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
Line 23 | CWE-23 | Priority score 625 | Learn more about this vulnerability
Data flow: 13 steps
Step 1 - 5
const packageName = process.argv[2]; |
Step 6 - 8
scripts/update-package-version.js#L15
Step 9 - 11
scripts/update-package-version.js#L16
Step 12 - 13
let pubspecContent = fs.readFileSync(pubspecPath, 'utf8'); |
if (fs.existsSync(pubspecPath)) { | ||
let pubspecContent = fs.readFileSync(pubspecPath, 'utf8'); | ||
pubspecContent = pubspecContent.replace(/^version:\s*.+$/m, `version: ${newVersion}`); | ||
fs.writeFileSync(pubspecPath, pubspecContent); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Path Traversal
Unsanitized input from a command line argument
flows into fs.writeFileSync
, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write to arbitrary files.
Line 25 | CWE-23 | Priority score 625 | Learn more about this vulnerability
Data flow: 13 steps
Step 1 - 5
const packageName = process.argv[2]; |
Step 6 - 8
scripts/update-package-version.js#L15
Step 9 - 11
scripts/update-package-version.js#L16
Step 12 - 13
fs.writeFileSync(pubspecPath, pubspecContent); |
// Update version.dart if it exists | ||
if (fs.existsSync(versionPath)) { | ||
const versionContent = `const version = '${newVersion}';`; | ||
fs.writeFileSync(versionPath, versionContent); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Path Traversal
Unsanitized input from a command line argument
flows into fs.writeFileSync
, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write to arbitrary files.
Line 35 | CWE-23 | Priority score 625 | Learn more about this vulnerability
Data flow: 13 steps
Step 1 - 5
const packageName = process.argv[2]; |
Step 6 - 8
scripts/update-package-version.js#L15
Step 9 - 11
scripts/update-package-version.js#L17
Step 12 - 13
fs.writeFileSync(versionPath, versionContent); |
const otherPubspecPath = path.join(packagesDir, otherPackage, 'pubspec.yaml'); | ||
if (fs.existsSync(otherPubspecPath)) { | ||
let otherPubspecContent = fs.readFileSync(otherPubspecPath, 'utf8'); | ||
const dependencyRegex = new RegExp(`^(\\s+${packageName}:\\s*)([^\\n]+)$`, 'gm'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regular Expression Denial of Service (ReDoS)
Unsanitized user input from a command line argument
flows into RegExp
, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).
Line 53 | CWE-400 | Priority score 825 | Learn more about this vulnerability
Data flow: 8 steps
Step 1 - 5
const packageName = process.argv[2]; |
Step 6 - 8
const dependencyRegex = new RegExp(`^(\\s+${packageName}:\\s*)([^\\n]+)$`, 'gm'); |
Pull Request Test Coverage Report for Build 16369185740Details
💛 - Coveralls |
Do you have any updates on when this will be released? |
Summary
Adds automated semantic-release for all packages in the monorepo.
Features
main
(stable) orrc
(prerelease) triggers releasesSetup Required
Add
PUB_DEV_CREDENTIALS
secret to GitHub repository settings.Usage
See RELEASE.md for complete documentation.