Open renovate[bot] opened 1 year ago
Pull request by bot. No need to analyze
🏷️ [bumpr] Next version:v1.14.1 Changes:v1.14.0...AlexRogalskiy:renovate/npm-semantic-release-vulnerability
Thanks for the PR!
This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.
You have successfully added a new Secrets Audit configuration .github/workflows/shiftleft-analysis.yml:Scan-Build
. As part of the setup process, we have scanned this repository and found 425 existing alerts. Please check the repository Security tab to see all alerts.
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
Package | New capabilities | Transitives | Size | Publisher |
---|
🚮 Removed packages: npm/lint-staged@10.5.4
This PR contains the following updates:
15.14.0
->17.2.3
GitHub Vulnerability Alerts
CVE-2020-26226
Impact
Secrets that would normally be masked by
semantic-release
can be accidentally disclosed if they contain characters that become encoded when included in a URL.Patches
Fixed in v17.2.3
Workarounds
Secrets that do not contain characters that become encoded when included in a URL are already masked properly.
Release Notes
semantic-release/semantic-release (semantic-release)
### [`v17.2.3`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.2.3) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.2.2...v17.2.3) ##### Bug Fixes - mask secrets when characters get uri encoded ([ca90b34](https://redirect.github.com/semantic-release/semantic-release/commit/ca90b34c4a9333438cc4d69faeb43362bb991e5a)) ### [`v17.2.2`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.2.2) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.2.1...v17.2.2) ##### Bug Fixes - don't parse port as part of the path in repository URLs ([#1671](https://redirect.github.com/semantic-release/semantic-release/issues/1671)) ([77a75f0](https://redirect.github.com/semantic-release/semantic-release/commit/77a75f072bc257b27904408dbea5ae5ccae2b6ab)) - use valid git credentials when multiple are provided ([#1669](https://redirect.github.com/semantic-release/semantic-release/issues/1669)) ([2bf3771](https://redirect.github.com/semantic-release/semantic-release/commit/2bf377194efc6b4f13b6bc6cd9272b935f64793e)) ### [`v17.2.1`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.2.1) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.2.0...v17.2.1) ##### Reverts - Revert "feat: throw an Error if package.json has duplicate "repository" key ([#1656](https://redirect.github.com/semantic-release/semantic-release/issues/1656))" ([3abcbaf](https://redirect.github.com/semantic-release/semantic-release/commit/3abcbaf2561a208180a1f8eddc1d8a5c1006fe48)), closes [#1656](https://redirect.github.com/semantic-release/semantic-release/issues/1656) [#1657](https://redirect.github.com/semantic-release/semantic-release/issues/1657) ### [`v17.2.0`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.2.0) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.1.2...v17.2.0) ##### Features - throw an Error if package.json has duplicate "repository" key ([#1656](https://redirect.github.com/semantic-release/semantic-release/issues/1656)) ([b8fb35c](https://redirect.github.com/semantic-release/semantic-release/commit/b8fb35c7e15d314c15182f779ef30b42b6c4e7ea)) ### [`v17.1.2`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.1.2) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.1.1...v17.1.2) ##### Bug Fixes - add logging for when ssh falls back to http ([#1639](https://redirect.github.com/semantic-release/semantic-release/issues/1639)) ([b4c5d0a](https://redirect.github.com/semantic-release/semantic-release/commit/b4c5d0a436fa5a4e98d8326f0512fa8a2f1f4f67)) ### [`v17.1.1`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.1.1) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.1.0...v17.1.1) ##### Bug Fixes - use correct ci branch context ([#1521](https://redirect.github.com/semantic-release/semantic-release/issues/1521)) ([0f0c650](https://redirect.github.com/semantic-release/semantic-release/commit/0f0c650b41764d1a3deb33631147c7ca0e39fe59)) ### [`v17.1.0`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.1.0) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.8...v17.1.0) ##### Features - **bitbucket-basic-auth:** support for bitbucket server basic auth ([#1578](https://redirect.github.com/semantic-release/semantic-release/issues/1578)) ([a465801](https://redirect.github.com/semantic-release/semantic-release/commit/a4658016d957a9a240051e51d77388f1345bd6ec)) ### [`v17.0.8`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.8) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.7...v17.0.8) ##### Bug Fixes - prevent false positive secret replacement for Golang projects ([#1562](https://redirect.github.com/semantic-release/semantic-release/issues/1562)) ([eed1d3c](https://redirect.github.com/semantic-release/semantic-release/commit/eed1d3c8cbab0ef05df39866c90ff74dff77dfa4)) ### [`v17.0.7`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.7) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.6...v17.0.7) ##### Bug Fixes - **package:** update marked to version 1.0.0 ([#1534](https://redirect.github.com/semantic-release/semantic-release/issues/1534)) ([d64db31](https://redirect.github.com/semantic-release/semantic-release/commit/d64db31e7670c394554246b9d686997c3e2c046b)) ### [`v17.0.6`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.6) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.5...v17.0.6) ##### Bug Fixes - adapt for semver to version 7.3.2 (part II) ([#1530](https://redirect.github.com/semantic-release/semantic-release/issues/1530)) ([431d571](https://redirect.github.com/semantic-release/semantic-release/commit/431d571a7b7284b2029a55da68a44c65d7c16451)) ### [`v17.0.5`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.5) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.4...v17.0.5) ##### Bug Fixes - adapt for semver to version 7.3.2 ([0363790](https://redirect.github.com/semantic-release/semantic-release/commit/0363790b8a5f91a8c95fc6905e3e20305db7c539)) ### [`v17.0.4`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.4) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.3...v17.0.4) ##### Bug Fixes - add `repositoryUrl` in logs ([55be0ba](https://redirect.github.com/semantic-release/semantic-release/commit/55be0ba2b1d8a5f7d817f0d4567be04170580028)) ### [`v17.0.3`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.3) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.2...v17.0.3) ##### Bug Fixes - pass a branch name to `getGitAuthUrl` ([e7bede1](https://redirect.github.com/semantic-release/semantic-release/commit/e7bede186649abb4dd19ed0e8c28c218523b8b19)) ### [`v17.0.2`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.2) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.1...v17.0.2) ##### Bug Fixes - **package:** update marked-terminal to version 4.0.0 ([8ce2d6e](https://redirect.github.com/semantic-release/semantic-release/commit/8ce2d6e834035980c3261f3b2a568279e601423c)) ### [`v17.0.1`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.1) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v17.0.0...v17.0.1) ##### Bug Fixes - **package:** update [@semantic-release/commit-analyzer](https://redirect.github.com/semantic-release/commit-analyzer) to version 8.0.0 ([45695b9](https://redirect.github.com/semantic-release/semantic-release/commit/45695b9183fa488f64e49e291b01c13b7f3319fb)) - **package:** update [@semantic-release/github](https://redirect.github.com/semantic-release/github) to version 7.0.0 ([c48bd3a](https://redirect.github.com/semantic-release/semantic-release/commit/c48bd3ac36561f137a7b7766c0308dd4e72cfad7)) - **package:** update [@semantic-release/npm](https://redirect.github.com/semantic-release/npm) to version 7.0.0 ([f2b5826](https://redirect.github.com/semantic-release/semantic-release/commit/f2b5826c0c57e32910f9257f932f51066a7f9421)) - **package:** update [@semantic-release/release-notes-generator](https://redirect.github.com/semantic-release/release-notes-generator) to version 9.0.0 ([3c7b114](https://redirect.github.com/semantic-release/semantic-release/commit/3c7b114eed8fc8b4d31e22c2dc69b7e8e6dca3cf)) ### [`v17.0.0`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v17.0.0) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v16.0.4...v17.0.0) ##### BREAKING CHANGES - Require Node.js >= 10.18 ### [`v16.0.4`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v16.0.4) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v16.0.3...v16.0.4) ##### Bug Fixes - correct error when remote repository has no branches ([c6b1076](https://redirect.github.com/semantic-release/semantic-release/commit/c6b10766a7c39b59164ffd14f5f5a503fa914f36)) ### [`v16.0.3`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v16.0.3) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v16.0.2...v16.0.3) ##### Bug Fixes - use `--no-verify` when testing the Git permissions ([b54b20d](https://redirect.github.com/semantic-release/semantic-release/commit/b54b20d4122bd4419cfbc35da1a475c1dd65721b)) ### [`v16.0.2`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v16.0.2) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v16.0.1...v16.0.2) ##### Bug Fixes - fetch tags on repo cached by the CI ([6b5b02e](https://redirect.github.com/semantic-release/semantic-release/commit/6b5b02ea755b74e1c2ea9a2dfff6576f5f15e870)) ### [`v16.0.1`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v16.0.1) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v16.0.0...v16.0.1) ##### Bug Fixes - **package:** update env-ci to version 5.0.0 ([3739ab5](https://redirect.github.com/semantic-release/semantic-release/commit/3739ab5f34454321aad2bf36f3a5ec03da004d33)) ### [`v16.0.0`](https://redirect.github.com/semantic-release/semantic-release/releases/tag/v16.0.0) [Compare Source](https://redirect.github.com/semantic-release/semantic-release/compare/v15.14.0...v16.0.0) ##### BREAKING CHANGES - ⚠️ For `v16.0.0@beta` users only: In v16, a JSON object stored in a [Git note](https://git-scm.com/docs/git-notes) is used to keep track of the channels on which a version has been released, the `@{channel}` suffix is no longer necessary. The tags formatted as v{version}@{channel} will now be ignored. If you have releases using this format you will have to upgrade them: - Find all the versions that have been released on a branch other than the default one by searching for all tags formatted as `v{version}@{channel}` - For each of those version: - Create a tag without the {[@channel](https://redirect.github.com/channel)} if none doesn't already exists - Add a Git note to the tag without the {[@channel](https://redirect.github.com/channel)} containing the channels on which the version was released formatted as `{"channels":["channel1","channel2"]}` and using `null` for the default channel (for example.`{"channels":[null,"channel1","channel2"]}`) - Push the tags and notes - Update the GitHub releases that refer to a tag formatted as v{version}@{channel} to use the tag without it - Delete the tags formatted as v{version}@{channel} - Require Node.js >= 10.13 - Git CLI version 2.7.1 or higher is now required: The `--merge` option of the `git tag` command has been added in Git version 2.7.1 and is now used by semantic-release - Regexp are not supported anymore for property matching in the `releaseRules` option. Regex are replaced by [globs](https://redirect.github.com/micromatch/micromatch#matching-features). For example `/core-.*/` should be changed to `'core-*'`. - The `branch` option has been removed in favor of `branches` - The new `branches` option expect either an Array or a single branch definition. To migrate your configuration: - If you want to publish package from multiple branches, please see the configuration documentation - If you use the default configuration and want to publish only from `master`: nothing to change - If you use the `branch` configuration and want to publish only from one branch: replace `branch` with `branches` (`"branch": "my-release-branch"` => `"branches": "my-release-branch"`) ##### Features - allow `addChannel` plugins to return `false` in order to signify no release was done ([e1c7269](https://redirect.github.com/semantic-release/semantic-release/commit/e1c7269cb3af0d84c28fd3c4a5ce61ae4b625924)) - allow `publish` plugins to return `false` in order to signify no release was done ([47484f5](https://redirect.github.com/semantic-release/semantic-release/commit/47484f5eb2fa330cbbbb03bffadba524ad642081)) - allow to release any version on a branch if up to date with next branch ([916c268](https://redirect.github.com/semantic-release/semantic-release/commit/916c2685c57f3490fb1e50afbf72ea8dce11e188)) - support multiple branches and distribution channels ([7b40524](https://redirect.github.com/semantic-release/semantic-release/commit/7b4052470b23261c9e679a17bff034da311fd894)) - use Git notes to store the channels on which a version has been released ([b2c1b2c](https://redirect.github.com/semantic-release/semantic-release/commit/b2c1b2c670f8f2dd4da71721ffb329c26e8d2cd7)) - **package:** update [@semantic-release/commit-analyzer](https://redirect.github.com/semantic-release/commit-analyzer) to version 7.0.0 ([e63e753](https://redirect.github.com/semantic-release/semantic-release/commit/e63e753cf09b2c3b51db00097bceade0893d3eaf)) ##### Performance Improvements - use `git tag --mergeConfiguration
📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.