Bump @typescript-eslint/eslint-plugin from 4.16.1 to 6.15.0 in /research-hub-web#446
Conversation
Login menu update
Fix failed start up due to Contentful type changes
…search-stage-url RSM-3036: stage: replace search with url
…rsion Update linting.yml
Feature/rsm 3250 search logic
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 4.16.1 to 6.15.0. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.15.0/packages/eslint-plugin) --- updated-dependencies: - dependency-name: "@typescript-eslint/eslint-plugin" dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
|
Dependabot tried to add |
dependabot
Bot
added
the
dependencies
lugn621
force-pushed
the
dependabot/npm_and_yarn/research-hub-web/typescript-eslint/eslint-plugin-6.15.0
branch
from
1808c3d to
aae9d0a
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 18 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci --force | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to add a permissions block that restricts the GITHUB_TOKEN to the minimal scopes needed. For a simple linting workflow that only checks out code and runs linters, contents: read is typically sufficient, and can be set either at the workflow root (applies to all jobs) or within the specific job.
The best minimally invasive fix here is to add a workflow-level permissions section just after the on: block and before jobs:. This will apply to run-linters (and any future jobs) without changing functionality. We will set contents: read, which is enough for actions/checkout to pull the repository contents and does not allow write operations. Concretely, in .github/workflows/linting.yml, we will insert:
permissions:
contents: readbetween the existing trigger configuration (on: ...) and the jobs: section. No imports or additional methods are needed, as this is purely a YAML configuration change.
| @@ -10,6 +10,9 @@ | ||
| branches: | ||
| - master | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| run-linters: | ||
| name: Run linters |
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, to fix this issue you add an explicit permissions block either at the root of the workflow (affecting all jobs that don’t override it) or inside the specific job, and set the minimal scopes required. For a workflow that only needs to read the repository and then talk to an external service (Sentry) using its own token, contents: read is typically sufficient.
For this specific workflow, the simplest safe fix without changing existing functionality is to add a permissions block under the sentry-release job, since only that job exists. The steps performed are checking out the repository and then running the Sentry release action, which reads from the repo. There’s no indication it needs to push commits/tags or otherwise modify GitHub resources, so we can restrict the job’s GITHUB_TOKEN to read-only repository contents. Concretely, in .github/workflows/sentry.yml, add:
permissions:
contents: readdirectly under runs-on: ubuntu-latest for the sentry-release job, keeping indentation consistent. No imports or additional methods are needed, as this is purely a configuration change in the workflow YAML.
| @@ -13,6 +13,8 @@ | ||
| sentry-release: | ||
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Check out Git repository |
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, to fix log injection when logging user-controlled data, sanitize the data before logging by removing or encoding characters that can alter log structure (at minimum \n and \r for plain text logs). It is also helpful to clearly delimit user input in log messages.
For this specific case, we should avoid logging event.body raw. Instead, derive a sanitized version of the body that strips carriage returns and newlines before interpolation. Because we should not change existing functionality, we will only change the logging line and not how event.body is parsed or used later. A minimal and effective fix is to compute safeBody from event.body using a simple String conversion and replace to remove \r and \n, then log that value. This preserves the intent (“log what was received”) while mitigating log forging. No new dependencies or imports are required; we can rely on built‑in String.prototype.replace.
Concretely, in hub-search-proxy/handler.js around line 53, replace:
console.log(`Received query: ${event.body}`);
const requestBody = JSON.parse(event.body);with:
const safeBody = String(event.body).replace(/[\r\n]+/g, '');
console.log(`Received query: ${safeBody}`);
const requestBody = JSON.parse(event.body);This ensures only the log output is sanitized; the actual request parsing behavior is unchanged.
| @@ -50,10 +50,10 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| const safeBody = String(event.body).replace(/[\r\n]+/g, ''); | ||
| console.log(`Received query: ${safeBody}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; | ||
| let from = 0; | ||
| let queryFilters = {}; | ||
| let queryFiltersCount = 0; |
7 participants
Bumps @typescript-eslint/eslint-plugin from 4.16.1 to 6.15.0.
Release notes
Sourced from
@typescript-eslint/eslint-plugin's releases.... (truncated)
Changelog
Sourced from
@typescript-eslint/eslint-plugin's changelog.... (truncated)
Commits
6128a02chore: publish v6.15.0f5e712bdocs(eslint-plugin): [require-array-sort-compare] generalize sort method name...e6d49e4docs(eslint-plugin): [require-array-sort-compare] sync rule description (#8061)ff75785feat(eslint-plugin): [no-useless-template-literals] add new rule (#7957)c9661c8feat: require-array-sort-compare + toSorted (#8052)7ec3022test(eslint-plugin): includedisable-type-checked.tsconfig in configs test...3175843docs(eslint-plugin): simplify a sentence in no-misused-promises.md (#8050)c7d702fchore: publish v6.14.0431cd15fix(eslint-plugin): add no-unsafe-unary-minus, prefer-destructuring to disabl...705370afix(eslint-plugin): correct message forno-unsafe-unary-minus(#7998)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)