-
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
⬆️ Updates semantic-release to v19 [SECURITY] #2254
base: master
Are you sure you want to change the base?
Conversation
Hey! Changelogs info seems to be missing or might be in incorrect format. |
Branch automerge failureThis PR was configured for branch automerge, however this is not possible so it has been raised as a PR instead.
|
Pull request by bot. No need to analyze |
Thanks for the PR! This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged. |
Thanks for opening an issue! Make sure you've followed CONTRIBUTING.md. |
Hello from PR HelperIs your PR ready for review and processing? Mark the PR ready by including If you still have work to do, even after marking this ready. Put the PR on hold by including |
2b86393
to
9f66af1
Compare
9f66af1
to
721a931
Compare
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎ This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
721a931
to
3d3ebfb
Compare
3d3ebfb
to
1b5024c
Compare
1b5024c
to
ece8e1f
Compare
ece8e1f
to
b3723d9
Compare
b3723d9
to
df39c92
Compare
df39c92
to
a81e3ac
Compare
e991432
to
3021d94
Compare
051dac9
to
72ac15f
Compare
481c25e
to
b2c686c
Compare
6593f91
to
15933e1
Compare
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
|
15933e1
to
e72fc02
Compare
e72fc02
to
4c36adc
Compare
4c36adc
to
b2bc2ce
Compare
b2bc2ce
to
b5c5024
Compare
b5c5024
to
467e46f
Compare
467e46f
to
61f5097
Compare
61f5097
to
2dd7654
Compare
2dd7654
to
2f09ac0
Compare
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2f09ac0
to
8cbced0
Compare
This PR contains the following updates:
^17.4.3
->^19.0.3
GitHub Vulnerability Alerts
CVE-2022-31051
Impact
What kind of vulnerability is it? Who is impacted?
Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials.
Patches
Has the problem been patched? What versions should users upgrade to?
Fixed in 19.0.3
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Secrets that do not contain characters that are excluded from encoding with
encodeURI
when included in a URL are already masked properly.References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Release Notes
semantic-release/semantic-release (semantic-release)
v19.0.3
Compare Source
Bug Fixes
v19.0.2
Compare Source
Bug Fixes
v19.0.1
Compare Source
Bug Fixes
v19.0.0
Compare Source
Bug Fixes
marked
to resolve ReDos vulnerability (#2330) (d9e5bc0)BREAKING CHANGES
@semantic-release/npm
has also dropped support for node v15marked
andmarked-terminal
that resolved the ReDoS vulnerability. removal of support of this node version should be low since it was not an LTS version and has been EOL for several months already.v18.0.1
Compare Source
Bug Fixes
v18.0.0
Compare Source
This is a maintenance release. An increasing amount of dependencies required a node version higher than the Node 10 version supported by
semantic-release@17
. We decided to go straight to a recent Node LTS version because the release build is usually independent of others, requiring a higher node version is less disruptive to users, but helps us reduce the maintenance overhead.If you use GitHub Actions and need to bump the node version set up by
actions/node-setup
, you can useoctoherd-script-bump-node-version-in-workflows
BREAKING CHANGES
node-version: the minimum required version of node is now v14.17
v17.4.7
Compare Source
Bug Fixes
v17.4.6
Compare Source
Bug Fixes
v17.4.5
Compare Source
Bug Fixes
v17.4.4
Compare Source
Bug Fixes
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.