AlexRogalskiy / github-action-charts

📊 GitHub action to generate graph charts
https://github.com/marketplace/actions/graph-charts
GNU General Public License v3.0
5 stars 1 forks source link

:arrow_up: Updates semantic-release to v17 [SECURITY] #557

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semantic-release 15.14.0 -> 17.2.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-26226

Impact

Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL.

Patches

Fixed in v17.2.3

Workarounds

Secrets that do not contain characters that become encoded when included in a URL are already masked properly.


Release Notes

semantic-release/semantic-release (semantic-release) ### [`v17.2.3`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.2.3) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.2.2...v17.2.3) ##### Bug Fixes - mask secrets when characters get uri encoded ([ca90b34](https://redirect.github.com/semantic-release/semantic-release/commit/ca90b34c4a9333438cc4d69faeb43362bb991e5a)) ### [`v17.2.2`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.2.2) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.2.1...v17.2.2) ##### Bug Fixes - don't parse port as part of the path in repository URLs ([#​1671](https://redirect.github.com/semantic-release/semantic-release/issues/1671)) ([77a75f0](https://redirect.github.com/semantic-release/semantic-release/commit/77a75f072bc257b27904408dbea5ae5ccae2b6ab)) - use valid git credentials when multiple are provided ([#​1669](https://redirect.github.com/semantic-release/semantic-release/issues/1669)) ([2bf3771](https://redirect.github.com/semantic-release/semantic-release/commit/2bf377194efc6b4f13b6bc6cd9272b935f64793e)) ### [`v17.2.1`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.2.1) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.2.0...v17.2.1) ##### Reverts - Revert "feat: throw an Error if package.json has duplicate "repository" key ([#​1656](https://redirect.github.com/semantic-release/semantic-release/issues/1656))" ([3abcbaf](https://redirect.github.com/semantic-release/semantic-release/commit/3abcbaf2561a208180a1f8eddc1d8a5c1006fe48)), closes [#​1656](https://redirect.github.com/semantic-release/semantic-release/issues/1656) [#​1657](https://redirect.github.com/semantic-release/semantic-release/issues/1657) ### [`v17.2.0`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.2.0) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.1.2...v17.2.0) ##### Features - throw an Error if package.json has duplicate "repository" key ([#​1656](https://redirect.github.com/semantic-release/semantic-release/issues/1656)) ([b8fb35c](https://redirect.github.com/semantic-release/semantic-release/commit/b8fb35c7e15d314c15182f779ef30b42b6c4e7ea)) ### [`v17.1.2`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.1.2) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.1.1...v17.1.2) ##### Bug Fixes - add logging for when ssh falls back to http ([#​1639](https://redirect.github.com/semantic-release/semantic-release/issues/1639)) ([b4c5d0a](https://redirect.github.com/semantic-release/semantic-release/commit/b4c5d0a436fa5a4e98d8326f0512fa8a2f1f4f67)) ### [`v17.1.1`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.1.1) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.1.0...v17.1.1) ##### Bug Fixes - use correct ci branch context ([#​1521](https://redirect.github.com/semantic-release/semantic-release/issues/1521)) ([0f0c650](https://redirect.github.com/semantic-release/semantic-release/commit/0f0c650b41764d1a3deb33631147c7ca0e39fe59)) ### [`v17.1.0`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.1.0) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.8...v17.1.0) ##### Features - **bitbucket-basic-auth:** support for bitbucket server basic auth ([#​1578](https://redirect.github.com/semantic-release/semantic-release/issues/1578)) ([a465801](https://redirect.github.com/semantic-release/semantic-release/commit/a4658016d957a9a240051e51d77388f1345bd6ec)) ### [`v17.0.8`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.8) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.7...v17.0.8) ##### Bug Fixes - prevent false positive secret replacement for Golang projects ([#​1562](https://redirect.github.com/semantic-release/semantic-release/issues/1562)) ([eed1d3c](https://redirect.github.com/semantic-release/semantic-release/commit/eed1d3c8cbab0ef05df39866c90ff74dff77dfa4)) ### [`v17.0.7`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.7) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.6...v17.0.7) ##### Bug Fixes - **package:** update marked to version 1.0.0 ([#​1534](https://redirect.github.com/semantic-release/semantic-release/issues/1534)) ([d64db31](https://redirect.github.com/semantic-release/semantic-release/commit/d64db31e7670c394554246b9d686997c3e2c046b)) ### [`v17.0.6`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.6) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.5...v17.0.6) ##### Bug Fixes - adapt for semver to version 7.3.2 (part II) ([#​1530](https://redirect.github.com/semantic-release/semantic-release/issues/1530)) ([431d571](https://redirect.github.com/semantic-release/semantic-release/commit/431d571a7b7284b2029a55da68a44c65d7c16451)) ### [`v17.0.5`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.5) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.4...v17.0.5) ##### Bug Fixes - adapt for semver to version 7.3.2 ([0363790](https://redirect.github.com/semantic-release/semantic-release/commit/0363790b8a5f91a8c95fc6905e3e20305db7c539)) ### [`v17.0.4`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.4) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.3...v17.0.4) ##### Bug Fixes - add `repositoryUrl` in logs ([55be0ba](https://redirect.github.com/semantic-release/semantic-release/commit/55be0ba2b1d8a5f7d817f0d4567be04170580028)) ### [`v17.0.3`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.3) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.2...v17.0.3) ##### Bug Fixes - pass a branch name to `getGitAuthUrl` ([e7bede1](https://redirect.github.com/semantic-release/semantic-release/commit/e7bede186649abb4dd19ed0e8c28c218523b8b19)) ### [`v17.0.2`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.2) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.1...v17.0.2) ##### Bug Fixes - **package:** update marked-terminal to version 4.0.0 ([8ce2d6e](https://redirect.github.com/semantic-release/semantic-release/commit/8ce2d6e834035980c3261f3b2a568279e601423c)) ### [`v17.0.1`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.1) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.0...v17.0.1) ##### Bug Fixes - **package:** update [@​semantic-release/commit-analyzer](https://redirect.github.com/semantic-release/commit-analyzer) to version 8.0.0 ([45695b9](https://redirect.github.com/semantic-release/semantic-release/commit/45695b9183fa488f64e49e291b01c13b7f3319fb)) - **package:** update [@​semantic-release/github](https://redirect.github.com/semantic-release/github) to version 7.0.0 ([c48bd3a](https://redirect.github.com/semantic-release/semantic-release/commit/c48bd3ac36561f137a7b7766c0308dd4e72cfad7)) - **package:** update [@​semantic-release/npm](https://redirect.github.com/semantic-release/npm) to version 7.0.0 ([f2b5826](https://redirect.github.com/semantic-release/semantic-release/commit/f2b5826c0c57e32910f9257f932f51066a7f9421)) - **package:** update [@​semantic-release/release-notes-generator](https://redirect.github.com/semantic-release/release-notes-generator) to version 9.0.0 ([3c7b114](https://redirect.github.com/semantic-release/semantic-release/commit/3c7b114eed8fc8b4d31e22c2dc69b7e8e6dca3cf)) ### [`v17.0.0`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.0) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v16.0.4...v17.0.0) ##### BREAKING CHANGES - Require Node.js >= 10.18 ### [`v16.0.4`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v16.0.4) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v16.0.3...v16.0.4) ##### Bug Fixes - correct error when remote repository has no branches ([c6b1076](https://redirect.github.com/semantic-release/semantic-release/commit/c6b10766a7c39b59164ffd14f5f5a503fa914f36)) ### [`v16.0.3`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v16.0.3) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v16.0.2...v16.0.3) ##### Bug Fixes - use `--no-verify` when testing the Git permissions ([b54b20d](https://redirect.github.com/semantic-release/semantic-release/commit/b54b20d4122bd4419cfbc35da1a475c1dd65721b)) ### [`v16.0.2`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v16.0.2) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v16.0.1...v16.0.2) ##### Bug Fixes - fetch tags on repo cached by the CI ([6b5b02e](https://redirect.github.com/semantic-release/semantic-release/commit/6b5b02ea755b74e1c2ea9a2dfff6576f5f15e870)) ### [`v16.0.1`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v16.0.1) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v16.0.0...v16.0.1) ##### Bug Fixes - **package:** update env-ci to version 5.0.0 ([3739ab5](https://redirect.github.com/semantic-release/semantic-release/commit/3739ab5f34454321aad2bf36f3a5ec03da004d33)) ### [`v16.0.0`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v16.0.0) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v15.14.0...v16.0.0) ##### BREAKING CHANGES - ⚠️ For `v16.0.0@​beta` users only: In v16, a JSON object stored in a [Git note](https://git-scm.com/docs/git-notes) is used to keep track of the channels on which a version has been released, the `@{channel}` suffix is no longer necessary. The tags formatted as v{version}@​{channel} will now be ignored. If you have releases using this format you will have to upgrade them: - Find all the versions that have been released on a branch other than the default one by searching for all tags formatted as `v{version}@​{channel}` - For each of those version: - Create a tag without the {[@​channel](https://redirect.github.com/channel)} if none doesn't already exists - Add a Git note to the tag without the {[@​channel](https://redirect.github.com/channel)} containing the channels on which the version was released formatted as `{"channels":["channel1","channel2"]}` and using `null` for the default channel (for example.`{"channels":[null,"channel1","channel2"]}`) - Push the tags and notes - Update the GitHub releases that refer to a tag formatted as v{version}@​{channel} to use the tag without it - Delete the tags formatted as v{version}@​{channel} - Require Node.js >= 10.13 - Git CLI version 2.7.1 or higher is now required: The `--merge` option of the `git tag` command has been added in Git version 2.7.1 and is now used by semantic-release - Regexp are not supported anymore for property matching in the `releaseRules` option. Regex are replaced by [globs](https://redirect.github.com/micromatch/micromatch#matching-features). For example `/core-.*/` should be changed to `'core-*'`. - The `branch` option has been removed in favor of `branches` - The new `branches` option expect either an Array or a single branch definition. To migrate your configuration: - If you want to publish package from multiple branches, please see the configuration documentation - If you use the default configuration and want to publish only from `master`: nothing to change - If you use the `branch` configuration and want to publish only from one branch: replace `branch` with `branches` (`"branch": "my-release-branch"` => `"branches": "my-release-branch"`) ##### Features - allow `addChannel` plugins to return `false` in order to signify no release was done ([e1c7269](https://redirect.github.com/semantic-release/semantic-release/commit/e1c7269cb3af0d84c28fd3c4a5ce61ae4b625924)) - allow `publish` plugins to return `false` in order to signify no release was done ([47484f5](https://redirect.github.com/semantic-release/semantic-release/commit/47484f5eb2fa330cbbbb03bffadba524ad642081)) - allow to release any version on a branch if up to date with next branch ([916c268](https://redirect.github.com/semantic-release/semantic-release/commit/916c2685c57f3490fb1e50afbf72ea8dce11e188)) - support multiple branches and distribution channels ([7b40524](https://redirect.github.com/semantic-release/semantic-release/commit/7b4052470b23261c9e679a17bff034da311fd894)) - use Git notes to store the channels on which a version has been released ([b2c1b2c](https://redirect.github.com/semantic-release/semantic-release/commit/b2c1b2c670f8f2dd4da71721ffb329c26e8d2cd7)) - **package:** update [@​semantic-release/commit-analyzer](https://redirect.github.com/semantic-release/commit-analyzer) to version 7.0.0 ([e63e753](https://redirect.github.com/semantic-release/semantic-release/commit/e63e753cf09b2c3b51db00097bceade0893d3eaf)) ##### Performance Improvements - use `git tag --merge ` to filter tags present in a branch history ([cffe9a8](https://redirect.github.com/semantic-release/semantic-release/commit/cffe9a8d338f1d4be899fef4495504eda8a4031e)) ##### Bug Fixes - add `channel` to publish success log ([5744c5e](https://redirect.github.com/semantic-release/semantic-release/commit/5744c5ecd2025d2bda7983f6e225ade1dff0f00c)) - add a flag indicate which branch is the main one ([2caafba](https://redirect.github.com/semantic-release/semantic-release/commit/2caafbaa2be54330b5b3e6dd71dda0270b566663)) - Add helpful detail to `ERELEASEBRANCHES` error message ([#​1188](https://redirect.github.com/semantic-release/semantic-release/issues/1188)) ([37bcc9e](https://redirect.github.com/semantic-release/semantic-release/commit/37bcc9e51536bccdfe47c6cbf911234a65b32787)) - allow multiple branches with same channel ([63f51ae](https://redirect.github.com/semantic-release/semantic-release/commit/63f51ae6ddfa824fa217ca196c4dd44915b80f2b)) - allow to set `ci` option via API and config file ([2faff26](https://redirect.github.com/semantic-release/semantic-release/commit/2faff2637f49e3caf6e08c5b0de5e53f99e29ac7)) - call `getTagHead` only when necessary ([de77a79](https://redirect.github.com/semantic-release/semantic-release/commit/de77a799a82cfe30aedc21dded61e39db2784a48)) - call `success` plugin only once for releases added to a channel ([9a023b4](https://redirect.github.com/semantic-release/semantic-release/commit/9a023b40883d5eb825a36c540c57f71713a670c0)) - correct log when adding channel to tag ([61665be](https://redirect.github.com/semantic-release/semantic-release/commit/61665be9ec7487c303509f19097f588d993ec155)) - correctly determine next pre-release version ([0457a07](https://redirect.github.com/semantic-release/semantic-release/commit/0457a074e7694ec95e4e8a24a27f15658a339489)) - correctly determine release to add to a channel ([aec96c7](https://redirect.github.com/semantic-release/semantic-release/commit/aec96c791f7413dace1bfdca08f7a5cd58cb0f5e)) - correctly handle skipped releases ([89663d3](https://redirect.github.com/semantic-release/semantic-release/commit/89663d3fcfed34923289b12d4b2b5c509f4db321)) - display erroring git commands properly ([1edae67](https://redirect.github.com/semantic-release/semantic-release/commit/1edae67326ecbb99d8b4be7e17a8ce4e14f439df)) - do not call `addChannel`for 2 merged branches configured with the same channel ([4aad9cd](https://redirect.github.com/semantic-release/semantic-release/commit/4aad9cd49031a849216e71a1ce358ad0668e4d54)) - do not create tags in dry-run mode for released to add to a channel ([97748c5](https://redirect.github.com/semantic-release/semantic-release/commit/97748c5e257b158b61e7eab1ae737180d0238301)) - fetch all release branches on CI ([b729183](https://redirect.github.com/semantic-release/semantic-release/commit/b729183b4af2818c713634746628f68d06e3a8bc)) - fix branch type regexp to handle version with multiple digits ([52ca0b3](https://redirect.github.com/semantic-release/semantic-release/commit/52ca0b391ccd7e31df0f2d7a125efd38e1b71b79)) - fix maintenance branch regex ([a022996](https://redirect.github.com/semantic-release/semantic-release/commit/a0229962ceac2c9eb05499373c153c7b3dced382)) - fix range regexp to handle version with multiple digits ([9a04e64](https://redirect.github.com/semantic-release/semantic-release/commit/9a04e64fab3ac8d7c6ea203ff29acb6d73e25246)) - handle branch properties set to `false` ([751a5f1](https://redirect.github.com/semantic-release/semantic-release/commit/751a5f1349c6bf415f6eaae4631118f163e45b77)) - harmonize parameters passed to `getError` ([f96c660](https://redirect.github.com/semantic-release/semantic-release/commit/f96c660c1b22fec29d87965838ef1493b87de114)) - ignore lasst release only if pre-release on the same channel as current branch ([990e85f](https://redirect.github.com/semantic-release/semantic-release/commit/990e85f069d35d87b78292119f37e27b6031b56c)) - increase next version on prerelease branch based on highest commit type ([9ecc7a3](https://redirect.github.com/semantic-release/semantic-release/commit/9ecc7a369cc75e7745f8748593df856b85bdb0ea)) - look also for previous prerelease versions to determine the next one ([9772563](https://redirect.github.com/semantic-release/semantic-release/commit/9772563a22c4fd313eb8bbcdde948503ad1d3703)) - modify fetch function to handle CircleCI specifics ([cbef9d1](https://redirect.github.com/semantic-release/semantic-release/commit/cbef9d18da0f5dcaf22e6c7d8737442f954a9481)) - on maintenance branch add to channel only version >= to start range ([c22ae17](https://redirect.github.com/semantic-release/semantic-release/commit/c22ae17a9b10534ef87b66ae08a5c0c6d95e1269)) - remove confusing logs when searching for releases to add to a channel ([162b4b9](https://redirect.github.com/semantic-release/semantic-release/commit/162b4b9e3bea940c63014d045e80b8fc21227ac1)) - remove hack to workaround GitHub Rebase & Merge ([844e0b0](https://redirect.github.com/semantic-release/semantic-release/commit/844e0b07e04754c8185d9d88523c8afc236de02a)) - remove unnecessary `await` ([9a1af4d](https://redirect.github.com/semantic-release/semantic-release/commit/9a1af4de44c4548137bf438df8f4ca10a07af63e)) - simplify `get-tags` algorithm ([00420a8](https://redirect.github.com/semantic-release/semantic-release/commit/00420a83c0283e7b02a5385d78d0ec984120a852)) - throws error if the commit associated with a tag cannot be found ([1317348](https://redirect.github.com/semantic-release/semantic-release/commit/131734873e904176044767ad929b5f53579556f6)) - update plugin versions ([0785a84](https://redirect.github.com/semantic-release/semantic-release/commit/0785a844fa8ac1320383452ce531898be3b01f92)) - update plugins dependencies ([9890584](https://redirect.github.com/semantic-release/semantic-release/commit/989058400785e0a1eefd70158f677de3be5a578d)) - verify is branch is up to date by comparing remote and local HEAD ([a8747c4](https://redirect.github.com/semantic-release/semantic-release/commit/a8747c4f86a1947250aa86ab1869fb4bde10bb71)) - remove unnecessary `branch` parameter from `push` function ([968b996](https://redirect.github.com/semantic-release/semantic-release/commit/968b9968a1a4dba8c638be071d0af59205257279)) - revert to the correct refspec in fetch function ([9948a74](https://redirect.github.com/semantic-release/semantic-release/commit/9948a74347704b9a0bdd601ffc0ab08aaa4ae97a)) - update plugins dependencies ([73f0c77](https://redirect.github.com/semantic-release/semantic-release/commit/73f0c775daf1167a0577425bb06149b4c7e3819f)) - **repositoryUrl:** on beta repositoryUrl needs auth for pre-release flows ([#​1186](https://redirect.github.com/semantic-release/semantic-release/issues/1186)) ([3610422](https://redirect.github.com/semantic-release/semantic-release/commit/36104229593c167e9086bc5fd8a533117ee3b579))

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR was generated by Mend Renovate. View the repository job log.

viezly[bot] commented 1 year ago

Pull request by bot. No need to analyze

github-actions[bot] commented 1 year ago

🏷️ [bumpr] Next version:v1.14.1 Changes:v1.14.0...AlexRogalskiy:renovate/npm-semantic-release-vulnerability

github-actions[bot] commented 1 year ago

Thanks for the PR!

This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.

github-advanced-security[bot] commented 1 year ago

You have successfully added a new Secrets Audit configuration .github/workflows/shiftleft-analysis.yml:Scan-Build. As part of the setup process, we have scanned this repository and found 425 existing alerts. Please check the repository Security tab to see all alerts.

socket-security[bot] commented 10 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher

🚮 Removed packages: npm/lint-staged@10.5.4

View full report↗︎