From 236e14664ba2a60c79777c085eed38c5be7a883a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 8 Oct 2025 01:02:02 +0000 Subject: [PATCH 1/3] Bump semver from 7.7.2 to 7.7.3 Bumps [semver](https://github.com/npm/node-semver) from 7.7.2 to 7.7.3. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v7.7.2...v7.7.3) --- updated-dependencies: - dependency-name: semver dependency-version: 7.7.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index b3fcdc2..c555fa3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -10,7 +10,7 @@ "@actions/core": "^1.11.1", "@actions/http-client": "^2.2.3", "@actions/tool-cache": "^2.0.2", - "semver": "^7.7.2" + "semver": "^7.7.3" }, "devDependencies": { "@actions/io": "^1.1.3", @@ -5419,9 +5419,9 @@ "license": "MIT" }, "node_modules/semver": { - "version": "7.7.2", - "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz", - "integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==", + "version": "7.7.3", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.3.tgz", + "integrity": "sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==", "license": "ISC", "bin": { "semver": "bin/semver.js" diff --git a/package.json b/package.json index 44e0497..7eddeed 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ "@actions/core": "^1.11.1", "@actions/http-client": "^2.2.3", "@actions/tool-cache": "^2.0.2", - "semver": "^7.7.2" + "semver": "^7.7.3" }, "devDependencies": { "@actions/io": "^1.1.3", From aa774d754b425c35bb3983bd30048aa36d6bc59d Mon Sep 17 00:00:00 2001 From: per1234 Date: Tue, 7 Oct 2025 19:41:09 -0700 Subject: [PATCH 2/3] Repackage action following `semver` bump GitHub downloads each action run in a workflow during runtime and executes it as a complete package of code before you can use workflow commands like run to interact with the runner machine. This means that we must provide all JavaScript package dependencies as part of the distributed action in order for it to be usable in workflows. A naive approach to doing this is checking in the `node_modules` folder. However, this approach results in a huge amount of frequently changing external content being included in the repository, much of which is not even part of the executed program. A far better approach is to use the excellent ncc tool to compile the program, including all the relevant code from the dependencies, into a single file. We use a "continuous packaging" approach, where the packaged action code that is generated via ncc is always kept in sync with the development source code and dependencies. This allows a beta version of the action to be easily used in workflows by beta testers or those who need changes not in the release simply by using the name of the branch as the action ref (e.g., `uses: arduino/arduino-lint-action@main` will cause the version of the action from the tip of the `main` branch to be used by the workflow run). The update of the package dependency results in a change to the packaged code, so the packaging is here updated accordingly. --- dist/index.js | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/dist/index.js b/dist/index.js index 0b51f5c..4f4b373 100644 --- a/dist/index.js +++ b/dist/index.js @@ -7961,6 +7961,7 @@ const isSatisfiable = (comparators, options) => { // already replaced the hyphen ranges // turn into a set of JUST comparators. const parseComparator = (comp, options) => { + comp = comp.replace(re[t.BUILD], '') debug('comp', comp, options) comp = replaceCarets(comp, options) debug('caret', comp) @@ -8381,11 +8382,25 @@ class SemVer { other = new SemVer(other, this.options) } - return ( - compareIdentifiers(this.major, other.major) || - compareIdentifiers(this.minor, other.minor) || - compareIdentifiers(this.patch, other.patch) - ) + if (this.major < other.major) { + return -1 + } + if (this.major > other.major) { + return 1 + } + if (this.minor < other.minor) { + return -1 + } + if (this.minor > other.minor) { + return 1 + } + if (this.patch < other.patch) { + return -1 + } + if (this.patch > other.patch) { + return 1 + } + return 0 } comparePre (other) { @@ -9286,6 +9301,10 @@ module.exports = debug const numeric = /^[0-9]+$/ const compareIdentifiers = (a, b) => { + if (typeof a === 'number' && typeof b === 'number') { + return a === b ? 0 : a < b ? -1 : 1 + } + const anum = numeric.test(a) const bnum = numeric.test(b) From 1bebd5695cae1869881d0301d7fa33e9e24828e5 Mon Sep 17 00:00:00 2001 From: per1234 Date: Tue, 7 Oct 2025 19:42:41 -0700 Subject: [PATCH 3/3] Update dependency license metadata cache for `semver` bump --- .licenses/npm/{semver-7.7.2.dep.yml => semver-7.7.3.dep.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename .licenses/npm/{semver-7.7.2.dep.yml => semver-7.7.3.dep.yml} (98%) diff --git a/.licenses/npm/semver-7.7.2.dep.yml b/.licenses/npm/semver-7.7.3.dep.yml similarity index 98% rename from .licenses/npm/semver-7.7.2.dep.yml rename to .licenses/npm/semver-7.7.3.dep.yml index 4157891..77ae981 100644 --- a/.licenses/npm/semver-7.7.2.dep.yml +++ b/.licenses/npm/semver-7.7.3.dep.yml @@ -1,6 +1,6 @@ --- name: semver -version: 7.7.2 +version: 7.7.3 type: npm summary: The semantic version parser used by npm. homepage: