chore(deps): semantic-release [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semantic-release	15.13.3 -> 17.2.3

GitHub Vulnerability Alerts

CVE-2020-26226

Impact

Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL.

Patches

Fixed in v17.2.3

Workarounds

Secrets that do not contain characters that become encoded when included in a URL are already masked properly.

---

Release Notes

semantic-release/semantic-release (semantic-release)

v17.2.3

Compare Source

Bug Fixes

• mask secrets when characters get uri encoded (ca90b34)

v17.2.2

Compare Source

Bug Fixes

• don't parse port as part of the path in repository URLs (#​1671) (77a75f0)
• use valid git credentials when multiple are provided (#​1669) (2bf3771)

v17.2.1

Compare Source

Reverts

• Revert "feat: throw an Error if package.json has duplicate "repository" key (#​1656)" (3abcbaf), closes #​1656 #​1657

v17.2.0

Compare Source

Features

• throw an Error if package.json has duplicate "repository" key (#​1656) (b8fb35c)

v17.1.2

Compare Source

Bug Fixes

• add logging for when ssh falls back to http (#​1639) (b4c5d0a)

v17.1.1

Compare Source

Bug Fixes

• use correct ci branch context (#​1521) (0f0c650)

v17.1.0

Compare Source

Features

• bitbucket-basic-auth: support for bitbucket server basic auth (#​1578) (a465801)

v17.0.8

Compare Source

Bug Fixes

• prevent false positive secret replacement for Golang projects (#​1562) (eed1d3c)

v17.0.7

Compare Source

Bug Fixes

• package: update marked to version 1.0.0 (#​1534) (d64db31)

v17.0.6

Compare Source

Bug Fixes

• adapt for semver to version 7.3.2 (part II) (#​1530) (431d571)

v17.0.5

Compare Source

Bug Fixes

• adapt for semver to version 7.3.2 (0363790)

v17.0.4

Compare Source

Bug Fixes

• add repositoryUrl in logs (55be0ba)

v17.0.3

Compare Source

Bug Fixes

• pass a branch name to getGitAuthUrl (e7bede1)

v17.0.2

Compare Source

Bug Fixes

• package: update marked-terminal to version 4.0.0 (8ce2d6e)

v17.0.1

Compare Source

Bug Fixes

• package: update @​semantic-release/commit-analyzer to version 8.0.0 (45695b9)
• package: update @​semantic-release/github to version 7.0.0 (c48bd3a)
• package: update @​semantic-release/npm to version 7.0.0 (f2b5826)
• package: update @​semantic-release/release-notes-generator to version 9.0.0 (3c7b114)

v17.0.0

Compare Source

BREAKING CHANGES

• Require Node.js >= 10.18

v16.0.4

Compare Source

Bug Fixes

• correct error when remote repository has no branches (c6b1076)

v16.0.3

Compare Source

Bug Fixes

• use --no-verify when testing the Git permissions (b54b20d)

v16.0.2

Compare Source

Bug Fixes

• fetch tags on repo cached by the CI (6b5b02e)

v16.0.1

Compare Source

Bug Fixes

• package: update env-ci to version 5.0.0 (3739ab5)

v16.0.0

Compare Source

BREAKING CHANGES

• ⚠️ For v16.0.0@​beta users only:

  In v16, a JSON object stored in a Git note is used to keep track of the channels on which a version has been released, the @{channel} suffix is no longer necessary.

  The tags formatted as v{version}@​{channel} will now be ignored. If you have releases using this format you will have to upgrade them:

  • Find all the versions that have been released on a branch other than the default one by searching for all tags formatted as v{version}@​{channel}
  • For each of those version:
    • Create a tag without the {@​channel} if none doesn't already exists
    • Add a Git note to the tag without the {@​channel} containing the channels on which the version was released formatted as {"channels":["channel1","channel2"]} and using null for the default channel (for example.{"channels":[null,"channel1","channel2"]})
    • Push the tags and notes
    • Update the GitHub releases that refer to a tag formatted as v{version}@​{channel} to use the tag without it
    • Delete the tags formatted as v{version}@​{channel}

• Require Node.js >= 10.13

• Git CLI version 2.7.1 or higher is now required: The --merge option of the git tag command has been added in Git version 2.7.1 and is now used by semantic-release

• Regexp are not supported anymore for property matching in the releaseRules option.

  Regex are replaced by globs. For example /core-.*/ should be changed to 'core-*'.

• The branch option has been removed in favor of branches

• The new branches option expect either an Array or a single branch definition. To migrate your configuration:

  • If you want to publish package from multiple branches, please see the configuration documentation
  • If you use the default configuration and want to publish only from master: nothing to change
  • If you use the branch configuration and want to publish only from one branch: replace branch with branches ("branch": "my-release-branch" => "branches": "my-release-branch")

Features

• allow addChannel plugins to return false in order to signify no release was done (e1c7269)
• allow publish plugins to return false in order to signify no release was done (47484f5)
• allow to release any version on a branch if up to date with next branch (916c268)
• support multiple branches and distribution channels (7b40524)
• use Git notes to store the channels on which a version has been released (b2c1b2c)
• package: update @​semantic-release/commit-analyzer to version 7.0.0 (e63e753)

Performance Improvements

• use git tag --merge <branch> to filter tags present in a branch history (cffe9a8)

Bug Fixes

• add channel to publish success log (5744c5e)
• add a flag indicate which branch is the main one (2caafba)
• Add helpful detail to ERELEASEBRANCHES error message (#​1188) (37bcc9e)
• allow multiple branches with same channel (63f51ae)
• allow to set ci option via API and config file (2faff26)
• call getTagHead only when necessary (de77a79)
• call success plugin only once for releases added to a channel (9a023b4)
• correct log when adding channel to tag (61665be)
• correctly determine next pre-release version (0457a07)
• correctly determine release to add to a channel (aec96c7)
• correctly handle skipped releases (89663d3)
• display erroring git commands properly (1edae67)
• do not call addChannelfor 2 merged branches configured with the same channel (4aad9cd)
• do not create tags in dry-run mode for released to add to a channel (97748c5)
• fetch all release branches on CI (b729183)
• fix branch type regexp to handle version with multiple digits (52ca0b3)
• fix maintenance branch regex (a022996)
• fix range regexp to handle version with multiple digits (9a04e64)
• handle branch properties set to false (751a5f1)
• harmonize parameters passed to getError (f96c660)
• ignore lasst release only if pre-release on the same channel as current branch (990e85f)
• increase next version on prerelease branch based on highest commit type (9ecc7a3)
• look also for previous prerelease versions to determine the next one (9772563)
• modify fetch function to handle CircleCI specifics (cbef9d1)
• on maintenance branch add to channel only version >= to start range (c22ae17)
• remove confusing logs when searching for releases to add to a channel (162b4b9)
• remove hack to workaround GitHub Rebase & Merge (844e0b0)
• remove unnecessary await (9a1af4d)
• simplify get-tags algorithm (00420a8)
• throws error if the commit associated with a tag cannot be found (1317348)
• update plugin versions (0785a84)
• update plugins dependencies (9890584)
• verify is branch is up to date by comparing remote and local HEAD (a8747c4)
• remove unnecessary branch parameter from push function (968b996)
• revert to the correct refspec in fetch function (9948a74)
• update plugins dependencies (73f0c77)
• repositoryUrl: on beta repositoryUrl needs auth for pre-release flows (#​1186) (3610422)

v15.14.0

Compare Source

Features

• pass envi-ci values to plugins context (a8c747d)

v15.13.32

Compare Source

Bug Fixes

• correctly display command that errored out in logs (fc7205d)

v15.13.31

Compare Source

Bug Fixes

• package: update yargs to version 15.0.1 (2c13136)

v15.13.30

Compare Source

Bug Fixes

• package: update cosmiconfig to version 6.0.0 (ffff100)

v15.13.29

Compare Source

Bug Fixes

• use authenticated URL to check if local branch is up to date (7a939a8)

v15.13.28

Compare Source

Bug Fixes

• package: update execa to version 3.2.0 (1693073)
• require Node.js >=8.16 (2f3d934)

v15.13.27

Compare Source

Bug Fixes

• ignore custom port when converting ssh repo URL to https (4af8548)

v15.13.26

Compare Source

Bug Fixes

• clarify message for EGITNOPERMISSION error (79d22a2)

v15.13.25

Compare Source

Bug Fixes

• package: update read-pkg-up to version 7.0.0 (0e24022)

v15.13.24

Compare Source

Reverts

• docs: broken link docs/03-recipes/travis.md (eea5de2)
• docs: cleaned "Developer guide" section navigation (3c4a0fb)
• docs: corrections and further clarifications (ce3d1bc)
• docs: made doc file org clearer and augmented content (5e41dc8)
• docs: note publishing on distribution channels in beta (54d8e3f)
• docs: repared broken links to "CI configuration recipes" (e00b6c8)
• docs: synched README.md and SUMMARY.md (e770c50)
• docs: update semantic-release-cli broken link (58aaf05)
• docs(contributing): added instructions on how to run gitbook locally (55c3616)
• docs(contributing): copy/pasted "Use gitbook locally" instruction from original url (c517c70)
• docs(recipes): cleaned doc and navigation (a6188d3)
• fix(definitions): Repository documentation links (95a9e89)

v15.13.23

Compare Source

Bug Fixes

• package: update yargs to version 14.0.0 (3c2fe35)

v15.13.22

Compare Source

Bug Fixes

• definitions: Repository documentation links (1eb3025)

v15.13.21

Compare Source

Bug Fixes

• package: update hosted-git-info to version 3.0.0 (391af98)

v15.13.20

Compare Source

Bug Fixes

• package: update dependency lodash to address security warnings (#​1253) (9a8a36c)

v15.13.19

Compare Source

Bug Fixes

• package: update marked to version 0.7.0 (75f0830)

v15.13.18

Compare Source

Bug Fixes

• revert to execa ^1.0.0 (6b3adf6)

v15.13.17

Compare Source

Bug Fixes

• package: update execa to version 2.0.0 (52c48be)

v15.13.16

Compare Source

Bug Fixes

• package: update env-ci to version 4.0.0 (8051294)

v15.13.15

Compare Source

Bug Fixes

• prefix git auth with "x-access-token:" when run in a GitHub Action (038e640)

v15.13.14

Compare Source

Bug Fixes

• package: update read-pkg-up to version 6.0.0 (74103ab)

v15.13.13

Compare Source

Bug Fixes

• package: update figures to version 3.0.0 (f4cf7c8)

v15.13.12

Compare Source

Bug Fixes

• package: update resolve-from to version 5.0.0 (6f3c21a)

v15.13.11

Compare Source

Bug Fixes

• package: update aggregate-error to version 3.0.0 (06fe435)

v15.13.10

Compare Source

Bug Fixes

• package: update semver to version 6.0.0 (d61e3bc)

v15.13.9

Compare Source

Bug Fixes

• package: update hook-std to version 2.0.0 (db3fc3e)

v15.13.8

Compare Source

Bug Fixes

• package: update read-pkg-up to version 5.0.0 (a90a103)

v15.13.7

Compare Source

Bug Fixes

• package: update p-reduce to version 2.0.0 (30723c5)

v15.13.6

Compare Source

Bug Fixes

• package: update get-stream to version 5.0.0 (0a584de)

v15.13.5

Compare Source

Bug Fixes

• package: update p-locate to version 4.0.0 (a5babc6)

v15.13.4

Compare Source

Bug Fixes

• package: update yargs to version 13.1.0 (aed4ea2)

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.