feat: add semantic-release automation for monorepo #1203
Conversation
- Add semantic-release configuration for all packages - Support both stable (main) and RC (rc) release channels - Automatic package detection and dependency resolution - GitHub Actions workflow for automated releases - pub.dev publishing with proper version management - Comprehensive documentation in RELEASE.md - Integration with existing melos workspace BREAKING CHANGE: Introduces automated release process
⛔ Snyk checks have failed. 4 issues have been found so far.
⛔ code/snyk check is complete. 4 issues have been found. (View Details) 💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![snyk-io[bot]](https://avatars.githubusercontent.com/in/372950?s=60&v=4){kind=small}
|
|
||
| // Update pubspec.yaml | ||
| if (fs.existsSync(pubspecPath)) { | ||
| let pubspecContent = fs.readFileSync(pubspecPath, 'utf8'); |
There was a problem hiding this comment.
Path Traversal
Unsanitized input from a command line argument flows into fs.readFileSync, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
Line 23 | CWE-23 | Priority score 625 | Learn more about this vulnerability
Data flow: 13 steps
Step 1 - 5
Step 6 - 8 scripts/update-package-version.js#L15
Step 9 - 11 scripts/update-package-version.js#L16
Step 12 - 13
| if (fs.existsSync(pubspecPath)) { | ||
| let pubspecContent = fs.readFileSync(pubspecPath, 'utf8'); | ||
| pubspecContent = pubspecContent.replace(/^version:\s*.+$/m, `version: ${newVersion}`); | ||
| fs.writeFileSync(pubspecPath, pubspecContent); |
There was a problem hiding this comment.
Path Traversal
Unsanitized input from a command line argument flows into fs.writeFileSync, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write to arbitrary files.
Line 25 | CWE-23 | Priority score 625 | Learn more about this vulnerability
Data flow: 13 steps
Step 1 - 5
Step 6 - 8 scripts/update-package-version.js#L15
Step 9 - 11 scripts/update-package-version.js#L16
Step 12 - 13
| // Update version.dart if it exists | ||
| if (fs.existsSync(versionPath)) { | ||
| const versionContent = `const version = '${newVersion}';`; | ||
| fs.writeFileSync(versionPath, versionContent); |
There was a problem hiding this comment.
Path Traversal
Unsanitized input from a command line argument flows into fs.writeFileSync, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write to arbitrary files.
Line 35 | CWE-23 | Priority score 625 | Learn more about this vulnerability
Data flow: 13 steps
Step 1 - 5
Step 6 - 8 scripts/update-package-version.js#L15
Step 9 - 11 scripts/update-package-version.js#L17
Step 12 - 13
| const otherPubspecPath = path.join(packagesDir, otherPackage, 'pubspec.yaml'); | ||
| if (fs.existsSync(otherPubspecPath)) { | ||
| let otherPubspecContent = fs.readFileSync(otherPubspecPath, 'utf8'); | ||
| const dependencyRegex = new RegExp(`^(\\s+${packageName}:\\s*)([^\\n]+)$`, 'gm'); |
There was a problem hiding this comment.
Regular Expression Denial of Service (ReDoS)
Unsanitized user input from a command line argument flows into RegExp, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).
Line 53 | CWE-400 | Priority score 825 | Learn more about this vulnerability
Data flow: 8 steps
Step 1 - 5
Step 6 - 8
Pull Request Test Coverage Report for Build 16369185740Details
💛 - Coveralls |
|
Do you have any updates on when this will be released? |
Summary
Adds automated semantic-release for all packages in the monorepo.
Features
main(stable) orrc(prerelease) triggers releasesSetup Required
Add
PUB_DEV_CREDENTIALSsecret to GitHub repository settings.Usage
See RELEASE.md for complete documentation.