Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL.
Patches
Fixed in v17.2.3
Workarounds
Secrets that do not contain characters that become encoded when included in a URL are already masked properly.
Release Notes
semantic-release/semantic-release (semantic-release)
### [`v17.2.3`](https://togithub.com/semantic-release/semantic-release/releases/tag/v17.2.3)
[Compare Source](https://togithub.com/semantic-release/semantic-release/compare/v17.2.2...v17.2.3)
##### Bug Fixes
- mask secrets when characters get uri encoded ([ca90b34](https://togithub.com/semantic-release/semantic-release/commit/ca90b34c4a9333438cc4d69faeb43362bb991e5a))
### [`v17.2.2`](https://togithub.com/semantic-release/semantic-release/releases/tag/v17.2.2)
[Compare Source](https://togithub.com/semantic-release/semantic-release/compare/v17.2.1...v17.2.2)
##### Bug Fixes
- don't parse port as part of the path in repository URLs ([#1671](https://togithub.com/semantic-release/semantic-release/issues/1671)) ([77a75f0](https://togithub.com/semantic-release/semantic-release/commit/77a75f072bc257b27904408dbea5ae5ccae2b6ab))
- use valid git credentials when multiple are provided ([#1669](https://togithub.com/semantic-release/semantic-release/issues/1669)) ([2bf3771](https://togithub.com/semantic-release/semantic-release/commit/2bf377194efc6b4f13b6bc6cd9272b935f64793e))
### [`v17.2.1`](https://togithub.com/semantic-release/semantic-release/releases/tag/v17.2.1)
[Compare Source](https://togithub.com/semantic-release/semantic-release/compare/v17.2.0...v17.2.1)
##### Reverts
- Revert "feat: throw an Error if package.json has duplicate "repository" key ([#1656](https://togithub.com/semantic-release/semantic-release/issues/1656))" ([3abcbaf](https://togithub.com/semantic-release/semantic-release/commit/3abcbaf2561a208180a1f8eddc1d8a5c1006fe48)), closes [#1656](https://togithub.com/semantic-release/semantic-release/issues/1656) [#1657](https://togithub.com/semantic-release/semantic-release/issues/1657)
### [`v17.2.0`](https://togithub.com/semantic-release/semantic-release/releases/tag/v17.2.0)
[Compare Source](https://togithub.com/semantic-release/semantic-release/compare/v17.1.2...v17.2.0)
##### Features
- throw an Error if package.json has duplicate "repository" key ([#1656](https://togithub.com/semantic-release/semantic-release/issues/1656)) ([b8fb35c](https://togithub.com/semantic-release/semantic-release/commit/b8fb35c7e15d314c15182f779ef30b42b6c4e7ea))
### [`v17.1.2`](https://togithub.com/semantic-release/semantic-release/releases/tag/v17.1.2)
[Compare Source](https://togithub.com/semantic-release/semantic-release/compare/v17.1.1...v17.1.2)
##### Bug Fixes
- add logging for when ssh falls back to http ([#1639](https://togithub.com/semantic-release/semantic-release/issues/1639)) ([b4c5d0a](https://togithub.com/semantic-release/semantic-release/commit/b4c5d0a436fa5a4e98d8326f0512fa8a2f1f4f67))
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
17.1.1->17.2.3GitHub Vulnerability Alerts
CVE-2020-26226
Impact
Secrets that would normally be masked by
semantic-releasecan be accidentally disclosed if they contain characters that become encoded when included in a URL.Patches
Fixed in v17.2.3
Workarounds
Secrets that do not contain characters that become encoded when included in a URL are already masked properly.
Release Notes
semantic-release/semantic-release (semantic-release)
### [`v17.2.3`](https://togithub.com/semantic-release/semantic-release/releases/tag/v17.2.3) [Compare Source](https://togithub.com/semantic-release/semantic-release/compare/v17.2.2...v17.2.3) ##### Bug Fixes - mask secrets when characters get uri encoded ([ca90b34](https://togithub.com/semantic-release/semantic-release/commit/ca90b34c4a9333438cc4d69faeb43362bb991e5a)) ### [`v17.2.2`](https://togithub.com/semantic-release/semantic-release/releases/tag/v17.2.2) [Compare Source](https://togithub.com/semantic-release/semantic-release/compare/v17.2.1...v17.2.2) ##### Bug Fixes - don't parse port as part of the path in repository URLs ([#1671](https://togithub.com/semantic-release/semantic-release/issues/1671)) ([77a75f0](https://togithub.com/semantic-release/semantic-release/commit/77a75f072bc257b27904408dbea5ae5ccae2b6ab)) - use valid git credentials when multiple are provided ([#1669](https://togithub.com/semantic-release/semantic-release/issues/1669)) ([2bf3771](https://togithub.com/semantic-release/semantic-release/commit/2bf377194efc6b4f13b6bc6cd9272b935f64793e)) ### [`v17.2.1`](https://togithub.com/semantic-release/semantic-release/releases/tag/v17.2.1) [Compare Source](https://togithub.com/semantic-release/semantic-release/compare/v17.2.0...v17.2.1) ##### Reverts - Revert "feat: throw an Error if package.json has duplicate "repository" key ([#1656](https://togithub.com/semantic-release/semantic-release/issues/1656))" ([3abcbaf](https://togithub.com/semantic-release/semantic-release/commit/3abcbaf2561a208180a1f8eddc1d8a5c1006fe48)), closes [#1656](https://togithub.com/semantic-release/semantic-release/issues/1656) [#1657](https://togithub.com/semantic-release/semantic-release/issues/1657) ### [`v17.2.0`](https://togithub.com/semantic-release/semantic-release/releases/tag/v17.2.0) [Compare Source](https://togithub.com/semantic-release/semantic-release/compare/v17.1.2...v17.2.0) ##### Features - throw an Error if package.json has duplicate "repository" key ([#1656](https://togithub.com/semantic-release/semantic-release/issues/1656)) ([b8fb35c](https://togithub.com/semantic-release/semantic-release/commit/b8fb35c7e15d314c15182f779ef30b42b6c4e7ea)) ### [`v17.1.2`](https://togithub.com/semantic-release/semantic-release/releases/tag/v17.1.2) [Compare Source](https://togithub.com/semantic-release/semantic-release/compare/v17.1.1...v17.1.2) ##### Bug Fixes - add logging for when ssh falls back to http ([#1639](https://togithub.com/semantic-release/semantic-release/issues/1639)) ([b4c5d0a](https://togithub.com/semantic-release/semantic-release/commit/b4c5d0a436fa5a4e98d8326f0512fa8a2f1f4f67))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.