Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency semver to v7.6.2 #66

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency semver to v7.6.2 #66

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 27, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semver 7.5.3 -> 7.6.2 age adoption passing confidence

Release Notes

npm/node-semver (semver)

v7.6.2

Compare Source

Bug Fixes

v7.6.1

Compare Source

Bug Fixes
Dependencies
Chores

v7.6.0

Compare Source

Features
Chores

v7.5.4

Compare Source

Bug Fixes

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@github-actions GitHub Actions
Copy link

[puLL-Merge] - npm/node-semver@v7.5.3..v7.6.0

Description

This PR introduces a series of changes aiming at improving the code quality, security, and maintainability of the node-semver package. The modifications range from enhancing ESLint configurations, adding GitHub Actions for checking and installing npm, modifying the dependabot configuration to handle more systematic updates, refining the repository settings, particularly around pull request handling and branch protections, and updating workflows to use newer node versions and improve CI/CD processes.

Changes

Changes

.eslintrc.js

  • Added ignorePatterns to exclude 'tap-testdir*' directories from linting processes.

.github/actions/create-check/action.yml (New File)

  • Implements a new GitHub Action for creating checks, especially useful for CI/CD pipelines.

.github/actions/install-latest-npm/action.yml (New File)

  • Added a new GitHub action for installing the latest compatible version of npm according to the Node version in use.

.github/dependabot.yml

  • Adjustments to dependabot configuration to specify target-branch for updates and extend the scope to additional branches ('release/v5', 'release/v6') with specific rules for each.

.github/settings.yml

  • Introduced more granular branch protection rules and restrictions, including requirements for pull request reviews, code owner reviews, and branch creation blocking for main, release/v5, and release/v6 branches.

GitHub Workflows (.github/workflows/*.yml)

  • Significant updates across various workflows (audit.yml, ci-release.yml, ci.yml, codeql-analysis.yml, post-dependabot.yml, pull-request.yml, release-integration.yml, release.yml):
    • Upgraded Node versions to 20.x in several workflows.
    • Streamlined the use of newly introduced GitHub actions, like install-latest-npm.
    • Adjusted to new approaches for creating checks and handling PR comments.
    • Introduced 'release-integration.yml' as a new workflow for handling release integrations.

.gitignore

  • Added rule to ignore 'tap-testdir*' directories.
  • Added exclusion for 'tsconfig.json'.

.release-please-manifest.json

  • Version bump to "7.6.0".

CHANGELOG.md

  • Documented changes for the new version.

README.md

  • Updates to documentation reflecting new coercing behavior for pre-release and build parts of versions.

JavaScript Files (*.js in various directories)

  • Various code adjustments and improvements to match the updated configurations and workflows.
    • This includes changes to regex patterns, SemVer parsing logic, coercing functions, test cases, and others, which reflect enhanced functionality or code quality improvements.

Security Hotspots

  1. GitHub Actions Security: The inclusion of new GitHub Actions scripts (create-check, install-latest-npm) opens potential vectors for security concerns if the actions are not properly secured, especially regarding the use of secrets.
    Risk: Medium
    Files:

    • .github/actions/create-check/action.yml
    • .github/actions/install-latest-npm/action.yml

  2. Dependabot Configuration: Extensive changes to the dependabot configuration may inadvertently introduce security issues if dependency updates are not properly vetted or if automatic PR merging is enabled without human review.
    Risk: Low
    File: .github/dependabot.yml

  3. External GitHub Action Usage: The workflows use external GitHub actions (LouisBrunner/checks-action@v1.6.0, actions/github-script@v6). While common, reliance on third-party actions carries inherent risk if those actions become compromised.
    Risk: Medium
    Example Files:

    • .github/workflows/audit.yml
    • .github/workflows/ci-release.yml

  4. Privilege Escalation via Workflow Misconfigurations: The new or modified GitHub workflows should be carefully reviewed to ensure they do not inadvertently provide escalated privileges to GitHub actions, particularly through the misuse of GitHub secrets or the execution environment.
    Risk: Medium
    Example File: .github/workflows/release-integration.yml

Review of these areas is recommended to ensure they adhere to best security practices and do not introduce unintended vulnerabilities into the project.

@renovate renovate bot changed the title Update dependency semver to v7.6.0 Update dependency semver to v7.6.1 May 11, 2024
@github-actions GitHub Actions
Copy link

[puLL-Merge] - npm/node-semver@v7.5.3..v7.6.1

Description

This PR updates the semver package to version 7.6.1. It includes bug fixes, dependency updates, and chore updates.

Changes

Changes

  • .commitlintrc.js: Updates commitlint rules to be less strict on subject case and body line length.
  • .eslintrc.js: Adds tap-testdir*/ to ignorePatterns.
  • .github/actions/create-check/action.yml: Adds a new GitHub action to create checks.
  • .github/actions/install-latest-npm/action.yml: Adds a new GitHub action to install the latest compatible npm version.
  • .github/dependabot.yml: Configures Dependabot to target release/* branches and limit open PRs.
  • .github/settings.yml: Updates branch protections and required reviews.
  • .github/workflows/: Updates all workflows to use the new GitHub actions, test on more Node versions and macOS 13. Adds release-integration.yml.
  • .gitignore: Adds tap-testdir*/ and /benchmarks.
  • CHANGELOG.md: Adds entries for 7.6.1, 7.6.0 and 7.5.4 releases.
  • README.md: Various improvements and updates.
  • benchmarks/: Adds benchmark scripts.
  • bin/semver.js: Refactors semver CLI to be more efficient.
  • internal/re.js: Adds support for long build IDs.
  • package.json: Bumps version to 7.6.1, updates dependencies, refines npm scripts.
  • release-please-config.json: Configures Release Please bot.
  • Multiple test files: Adds new tests, makes some existing tests stricter.

Security Hotspots

None found. The changes look safe and do not introduce any obvious security vulnerabilities.

Overall this is a solid maintenance release with useful improvements and fixes. The new features like supporting prerelease/build parts in coerce are well tested. Adding benchmark scripts is a nice enhancement too.

Let me know if you have any other questions! The PR looks good to merge from my review.

@renovate renovate bot changed the title Update dependency semver to v7.6.1 Update dependency semver to v7.6.2 May 13, 2024
@github-actions GitHub Actions
Copy link

[puLL-Merge] - npm/node-semver@v7.5.3..v7.6.2

Description

This PR updates the semver library to version 7.6.2. The main changes include:

  • Fixing various bugs related to comparisons, parsing, and the lru-cache dependency
  • Adding new benchmarking tests
  • Upgrading dependencies like @npmcli/template-oss
  • Improving documentation in the README
  • Preserving prerelease and build parts when using coerce() with the includePrerelease option

The motivation appears to be fixing bugs, improving performance, and adding some new functionality while keeping the library up-to-date.

Changes

Changes

  • .commitlintrc.js: Relaxed some commitlint rules around subject case and body line length
  • .eslintrc.js: Added tap-testdir*/ to ignored patterns
  • .github/:
    • Added new reusable workflow for creating checks
    • Added new reusable workflow for installing latest compatible npm version
    • Updated dependabot config to support older release branches
    • Other workflow updates and improvements
  • .gitignore: Added tap-testdir*/ to ignored paths
  • README.md: Various documentation improvements and updates
  • benchmarks/: Added new benchmark tests for comparing, parsing, satisfying versions
  • bin/semver.js: Refactored success function logic directly into main
  • classes/range.js: Switched to use internal LRUCache, call trim() on ranges
  • classes/semver.js: Removed test for invalid version numbers
  • functions/coerce.js: Support includePrerelease option to preserve prerelease and build parts
  • internal/: Added custom LRUCache implementation, removed lru-cache dependency
  • package.json: Version bump to 7.6.2, removed lru-cache dependency
  • test/: Various test additions and updates

Security Hotspots

None found. The changes appear to be safe bug fixes, refactorings and enhancements. Switching to a custom LRUCache implementation removes a third-party dependency.

Let me know if you have any other questions!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
puLL-Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants