Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): semantic-release [security] #204

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): semantic-release [security] #204

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 20, 2020
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semantic-release 15.13.32 -> 17.2.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-26226

Impact

Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL.

Patches

Fixed in v17.2.3

Workarounds

Secrets that do not contain characters that become encoded when included in a URL are already masked properly.

Release Notes

semantic-release/semantic-release (semantic-release)

v17.2.3

Compare Source

Bug Fixes
  • mask secrets when characters get uri encoded (ca90b34)

v17.2.2

Compare Source

Bug Fixes
  • don't parse port as part of the path in repository URLs (#​1671) (77a75f0)
  • use valid git credentials when multiple are provided (#​1669) (2bf3771)

v17.2.1

Compare Source

Reverts

v17.2.0

Compare Source

Features
  • throw an Error if package.json has duplicate "repository" key (#​1656) (b8fb35c)

v17.1.2

Compare Source

Bug Fixes

v17.1.1

Compare Source

Bug Fixes

v17.1.0

Compare Source

Features
  • bitbucket-basic-auth: support for bitbucket server basic auth (#​1578) (a465801)

v17.0.8

Compare Source

Bug Fixes
  • prevent false positive secret replacement for Golang projects (#​1562) (eed1d3c)

v17.0.7

Compare Source

Bug Fixes

v17.0.6

Compare Source

Bug Fixes

v17.0.5

Compare Source

Bug Fixes
  • adapt for semver to version 7.3.2 (0363790)

v17.0.4

Compare Source

Bug Fixes
  • add repositoryUrl in logs (55be0ba)

v17.0.3

Compare Source

Bug Fixes
  • pass a branch name to getGitAuthUrl (e7bede1)

v17.0.2

Compare Source

Bug Fixes
  • package: update marked-terminal to version 4.0.0 (8ce2d6e)

v17.0.1

Compare Source

Bug Fixes

v17.0.0

Compare Source

BREAKING CHANGES
  • Require Node.js >= 10.18

v16.0.4

Compare Source

Bug Fixes
  • correct error when remote repository has no branches (c6b1076)

v16.0.3

Compare Source

Bug Fixes
  • use --no-verify when testing the Git permissions (b54b20d)

v16.0.2

Compare Source

Bug Fixes
  • fetch tags on repo cached by the CI (6b5b02e)

v16.0.1

Compare Source

Bug Fixes
  • package: update env-ci to version 5.0.0 (3739ab5)

v16.0.0

Compare Source

BREAKING CHANGES

  • ⚠️ For v16.0.0@​beta users only:

    In v16, a JSON object stored in a Git note is used to keep track of the channels on which a version has been released, the @{channel} suffix is no longer necessary.

    The tags formatted as v{version}@​{channel} will now be ignored. If you have releases using this format you will have to upgrade them:

    • Find all the versions that have been released on a branch other than the default one by searching for all tags formatted as v{version}@​{channel}
    • For each of those version:
      • Create a tag without the {@​channel} if none doesn't already exists
      • Add a Git note to the tag without the {@​channel} containing the channels on which the version was released formatted as {"channels":["channel1","channel2"]} and using null for the default channel (for example.{"channels":[null,"channel1","channel2"]})
      • Push the tags and notes
      • Update the GitHub releases that refer to a tag formatted as v{version}@​{channel} to use the tag without it
      • Delete the tags formatted as v{version}@​{channel}

  • Require Node.js >= 10.13

  • Git CLI version 2.7.1 or higher is now required: The --merge option of the git tag command has been added in Git version 2.7.1 and is now used by semantic-release

  • Regexp are not supported anymore for property matching in the releaseRules option.

    Regex are replaced by globs. For example /core-.*/ should be changed to 'core-*'.

  • The branch option has been removed in favor of branches

  • The new branches option expect either an Array or a single branch definition. To migrate your configuration:

    • If you want to publish package from multiple branches, please see the configuration documentation
    • If you use the default configuration and want to publish only from master: nothing to change
    • If you use the branch configuration and want to publish only from one branch: replace branch with branches ("branch": "my-release-branch" => "branches": "my-release-branch")
Features
  • allow addChannel plugins to return false in order to signify no release was done (e1c7269)
  • allow publish plugins to return false in order to signify no release was done (47484f5)
  • allow to release any version on a branch if up to date with next branch (916c268)
  • support multiple branches and distribution channels (7b40524)
  • use Git notes to store the channels on which a version has been released (b2c1b2c)
  • package: update @​semantic-release/commit-analyzer to version 7.0.0 (e63e753)
Performance Improvements
  • use git tag --merge <branch> to filter tags present in a branch history (cffe9a8)
Bug Fixes
  • add channel to publish success log (5744c5e)
  • add a flag indicate which branch is the main one (2caafba)
  • Add helpful detail to ERELEASEBRANCHES error message (#​1188) (37bcc9e)
  • allow multiple branches with same channel (63f51ae)
  • allow to set ci option via API and config file (2faff26)
  • call getTagHead only when necessary (de77a79)
  • call success plugin only once for releases added to a channel (9a023b4)
  • correct log when adding channel to tag (61665be)
  • correctly determine next pre-release version (0457a07)
  • correctly determine release to add to a channel (aec96c7)
  • correctly handle skipped releases (89663d3)
  • display erroring git commands properly (1edae67)
  • do not call addChannelfor 2 merged branches configured with the same channel (4aad9cd)
  • do not create tags in dry-run mode for released to add to a channel (97748c5)
  • fetch all release branches on CI (b729183)
  • fix branch type regexp to handle version with multiple digits (52ca0b3)
  • fix maintenance branch regex (a022996)
  • fix range regexp to handle version with multiple digits (9a04e64)
  • handle branch properties set to false (751a5f1)
  • harmonize parameters passed to getError (f96c660)
  • ignore lasst release only if pre-release on the same channel as current branch (990e85f)
  • increase next version on prerelease branch based on highest commit type (9ecc7a3)
  • look also for previous prerelease versions to determine the next one (9772563)
  • modify fetch function to handle CircleCI specifics (cbef9d1)
  • on maintenance branch add to channel only version >= to start range (c22ae17)
  • remove confusing logs when searching for releases to add to a channel (162b4b9)
  • remove hack to workaround GitHub Rebase & Merge (844e0b0)
  • remove unnecessary await (9a1af4d)
  • simplify get-tags algorithm (00420a8)
  • throws error if the commit associated with a tag cannot be found (1317348)
  • update plugin versions (0785a84)
  • update plugins dependencies (9890584)
  • verify is branch is up to date by comparing remote and local HEAD (a8747c4)
  • remove unnecessary branch parameter from push function (968b996)
  • revert to the correct refspec in fetch function (9948a74)
  • update plugins dependencies (73f0c77)
  • repositoryUrl: on beta repositoryUrl needs auth for pre-release flows (#​1186) (3610422)

v15.14.0

Compare Source

Features
  • pass envi-ci values to plugins context (a8c747d)

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from cbb778e to 6486689 Compare February 15, 2021 12:14
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from 8cdf8fc to 1757576 Compare March 1, 2021 12:25
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 1757576 to a16ece3 Compare March 8, 2021 12:38
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from 40267ec to d0e9b09 Compare March 22, 2021 12:09
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from d0e9b09 to 404f713 Compare April 5, 2021 09:55
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from 93299d0 to da08e11 Compare April 12, 2021 17:48
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from da08e11 to b087ad2 Compare April 26, 2021 10:24
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from b087ad2 to 7b1ab18 Compare May 3, 2021 10:59
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 7b1ab18 to 382a58e Compare May 10, 2021 11:20
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from 1be706b to 84fba67 Compare May 31, 2021 10:50
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 84fba67 to 1c57149 Compare June 7, 2021 08:23
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from 7059c56 to 2e945f6 Compare June 21, 2021 09:01
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from 62df948 to e6aadff Compare July 5, 2021 08:33
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from e6aadff to ff481fa Compare July 12, 2021 08:27
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from 451aad7 to 7c1b390 Compare July 26, 2021 08:50
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 7c1b390 to 5b3092e Compare August 2, 2021 09:00
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 3 times, most recently from 3f17ef1 to 3269ded Compare August 16, 2021 09:23
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 3269ded to fe3c8e1 Compare August 23, 2021 10:16
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from 76826c7 to 193c2fd Compare September 6, 2021 10:07
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from 79999b7 to b6048ed Compare December 19, 2022 11:40
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from 91420b9 to b30f2e2 Compare December 26, 2022 12:12
@renovate renovate bot changed the title chore(deps): semantic-release [security] chore(deps): semantic-release [security] - autoclosed Jan 1, 2023
@renovate renovate bot closed this Jan 1, 2023
@renovate renovate bot deleted the renovate/npm-semantic-release-vulnerability branch January 1, 2023 02:22
@renovate renovate bot changed the title chore(deps): semantic-release [security] - autoclosed chore(deps): semantic-release [security] Jan 1, 2023
@renovate renovate bot reopened this Jan 1, 2023
@renovate renovate bot restored the renovate/npm-semantic-release-vulnerability branch January 1, 2023 05:43
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from b30f2e2 to 485d339 Compare January 2, 2023 13:08
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from 45a048f to 83f290c Compare January 16, 2023 13:33
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 83f290c to e8b34c2 Compare January 23, 2023 13:42
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from e8b34c2 to 6b31df9 Compare January 30, 2023 15:39
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 6b31df9 to 15d55ed Compare February 13, 2023 11:46
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 3 times, most recently from 83445fc to f5879c1 Compare February 27, 2023 11:46
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from f5879c1 to 7f5ab6e Compare March 7, 2023 04:34
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 7f5ab6e to 877b1cf Compare March 20, 2023 12:21
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 3 times, most recently from 40730e3 to ed9c585 Compare April 10, 2023 13:45
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch 2 times, most recently from a1d3a91 to 8e621af Compare April 24, 2023 11:54
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 8e621af to 03dda6b Compare May 1, 2023 09:18
@renovate renovate bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 03dda6b to 89fdec5 Compare May 15, 2023 10:04
@renovate
Copy link
Contributor Author

renovate bot commented May 15, 2023

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
warning semantic-release > @semantic-release/npm > npm > @npmcli/ci-detect@3.0.2: this package has been deprecated, use `ci-info` instead
warning semantic-release > @semantic-release/npm > npm > readdir-scoped-modules@1.1.0: This functionality has been moved to @npmcli/fs
warning semantic-release > @semantic-release/npm > npm > node-gyp > make-fetch-happen > cacache > @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
error Couldn't find package "@npmcli/package-json@^3.0.0" required by "@npmcli/arborist@*" on the "npm" registry.
Error: Couldn't find package "@npmcli/package-json@*" required by "npm@^7.0.0" on the "npm" registry.
    at MessageError.ExtendableBuiltin (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:721:66)
    at new MessageError (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:750:123)
    at PackageRequest.<anonymous> (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:36590:17)
    at Generator.throw (<anonymous>)
    at step (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:310:30)
    at /opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:323:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Error: Couldn't find package "@npmcli/run-script@*" required by "npm@^7.0.0" on the "npm" registry.
    at MessageError.ExtendableBuiltin (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:721:66)
    at new MessageError (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:750:123)
    at PackageRequest.<anonymous> (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:36590:17)
    at Generator.throw (<anonymous>)
    at step (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:310:30)
    at /opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:323:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Error: Couldn't find package "@npmcli/run-script@^6.0.0" required by "@npmcli/arborist@*" on the "npm" registry.
    at MessageError.ExtendableBuiltin (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:721:66)
    at new MessageError (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:750:123)
    at PackageRequest.<anonymous> (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:36590:17)
    at Generator.throw (<anonymous>)
    at step (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:310:30)
    at /opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:323:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Error: Couldn't find package "@npmcli/run-script@^6.0.0" required by "libnpmexec@*" on the "npm" registry.
    at MessageError.ExtendableBuiltin (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:721:66)
    at new MessageError (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:750:123)
    at PackageRequest.<anonymous> (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:36590:17)
    at Generator.throw (<anonymous>)
    at step (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:310:30)
    at /opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:323:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Error: Couldn't find package "@npmcli/run-script@^6.0.0" required by "libnpmversion@*" on the "npm" registry.
    at MessageError.ExtendableBuiltin (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:721:66)
    at new MessageError (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:750:123)
    at PackageRequest.<anonymous> (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:36590:17)
    at Generator.throw (<anonymous>)
    at step (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:310:30)
    at /opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:323:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Error: Couldn't find package "@npmcli/run-script@^6.0.0" required by "libnpmpack@*" on the "npm" registry.
    at MessageError.ExtendableBuiltin (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:721:66)
    at new MessageError (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:750:123)
    at PackageRequest.<anonymous> (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:36590:17)
    at Generator.throw (<anonymous>)
    at step (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:310:30)
    at /opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:323:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Error: Couldn't find package "@npmcli/run-script@^6.0.0" required by "pacote@*" on the "npm" registry.
    at MessageError.ExtendableBuiltin (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:721:66)
    at new MessageError (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:750:123)
    at PackageRequest.<anonymous> (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:36590:17)
    at Generator.throw (<anonymous>)
    at step (/opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:310:30)
    at /opt/buildpack/tools/yarn-slim/1.22.19/lib/node_modules/yarn/lib/cli.js:323:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants