feat: update dependencies to v3 aws-sdk and fix vulnerable github act…

…ion output when setting env var
clowdhaus · Dec 21, 2020 · fb034db · fb034db
1 parent 5fb739a
commit fb034db
Show file tree

Hide file tree

Showing 13 changed files with 1,002 additions and 512 deletions.
diff --git a/awscli/dist/index.js b/awscli/dist/index.js
diff --git a/awscli/package.json b/awscli/package.json
@@ -9,6 +9,7 @@
   },
   "scripts": {
     "compile": "ncc build -m",
+    "lint": "eslint '*.ts' --ignore-path ../.gitignore --fix",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "author": "clowd.haus",

diff --git a/cloudfront_invalidate/dist/index.js b/cloudfront_invalidate/dist/index.js
diff --git a/cloudfront_invalidate/index.ts b/cloudfront_invalidate/index.ts
@@ -1,5 +1,5 @@
 import * as core from '@actions/core';
-import * as CloudFront from 'aws-sdk/clients/cloudfront';
+import { CloudFrontClient, CreateInvalidationCommand } from '@aws-sdk/client-cloudfront';
 
 const run = async (): Promise<void> => {
   try {
@@ -29,8 +29,12 @@ const run = async (): Promise<void> => {
       },
     };
 
-    const cloudfront = new CloudFront({ apiVersion: '2019-03-26', customUserAgent: 'aws-github-actions-cloudfront' });
-    const invalidation = await cloudfront.createInvalidation(params).promise();
+    const cloudfront = new CloudFrontClient({
+      apiVersion: '2019-03-26',
+      customUserAgent: 'aws-github-actions-cloudfront',
+    });
+
+    const invalidation = await cloudfront.send(new CreateInvalidationCommand(params));
     const invalidationId = invalidation.Invalidation.Id;
     core.setOutput('invalidation-id', invalidationId);
   } catch (error) {

diff --git a/cloudfront_invalidate/package.json b/cloudfront_invalidate/package.json
@@ -4,10 +4,11 @@
   "description": "Initiate CloudFront cache invalidation",
   "main": "index.ts",
   "dependencies": {
-    "aws-sdk": "^2.759.0"
+    "@aws-sdk/client-cloudfront": "^3.0.0"
   },
   "scripts": {
     "compile": "ncc build -m",
+    "lint": "eslint '*.ts' --ignore-path ../.gitignore --fix",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "author": "clowd.haus",

diff --git a/iam_access_credentials/dist/index.js b/iam_access_credentials/dist/index.js
diff --git a/iam_access_credentials/index.ts b/iam_access_credentials/index.ts
@@ -1,5 +1,6 @@
 import * as core from '@actions/core';
-import * as Sts from 'aws-sdk/clients/sts';
+import { v4 as uuidv4 } from 'uuid';
+import { STSClient, AssumeRoleCommand, GetCallerIdentityCommand } from '@aws-sdk/client-sts';
 
 interface AwsEnvValues {
   accessKeyId: string;
@@ -10,6 +11,10 @@ interface AwsEnvValues {
 }
 
 function exportEnvVariables(config: AwsEnvValues): void {
+  // Disable workflow commands
+  const token = uuidv4();
+  console.log(`::stop-commands::${token}`);
+
   // Export values as environment variables
   // https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
   core.exportVariable('AWS_ACCESS_KEY_ID', config.accessKeyId);
@@ -19,6 +24,9 @@ function exportEnvVariables(config: AwsEnvValues): void {
   }
   core.exportVariable('AWS_DEFAULT_REGION', config.region);
   core.exportVariable('AWS_REGION', config.region);
+
+  // Re-enable workflow commands
+  console.log(`::${token}::`);
 }
 
 const run = async (): Promise<void> => {
@@ -47,7 +55,7 @@ const run = async (): Promise<void> => {
     const parsedDurationSeconds = Math.max(parseInt(durationSeconds), 900);
     const externalId = core.getInput('external-id', { required: false });
 
-    const sts = new Sts({
+    const sts = new STSClient({
       apiVersion: '2011-06-15',
       customUserAgent: 'aws-github-actions-sts',
     });
@@ -61,15 +69,15 @@ const run = async (): Promise<void> => {
 
     // If assuming role, assume then re-export creds to environment
     if (useAssumeRole) {
-      const role = await sts.assumeRole(params).promise();
+      const role = await sts.send(new AssumeRoleCommand(params));
       envValues.accessKeyId = role.Credentials.AccessKeyId;
       envValues.secretAccessKey = role.Credentials.SecretAccessKey;
       envValues.sessionToken = role.Credentials.SessionToken;
       exportEnvVariables(envValues);
     }
 
     // Get AWS account ID
-    const identity = await sts.getCallerIdentity().promise();
+    const identity = await sts.send(new GetCallerIdentityCommand({}));
     const accountId = identity.Account;
     core.setOutput('aws-account-id', accountId);
     if (!envValues.maskAccountId || envValues.maskAccountId.toLowerCase() == 'true') {

diff --git a/iam_access_credentials/package.json b/iam_access_credentials/package.json
@@ -4,12 +4,16 @@
   "description": "Configure AWS IAM access credentials for use with the AWS CLI and AWS SDKs",
   "main": "index.ts",
   "dependencies": {
-    "aws-sdk": "^2.759.0"
+    "@aws-sdk/client-sts": "^3.0.0"
   },
   "scripts": {
     "compile": "ncc build -m",
+    "lint": "eslint '*.ts' --ignore-path ../.gitignore --fix",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "author": "clowd.haus",
-  "license": "Apache-2.0"
+  "license": "Apache-2.0",
+  "devDependencies": {
+    "@types/uuid": "^8.3.0"
+  }
 }
diff --git a/package.json b/package.json
@@ -29,7 +29,7 @@
   ],
   "scripts": {
     "build": "lerna run build && lerna run compile",
-    "lint": "eslint 'actions/**/*.{js,ts}' --fix",
+    "lint": "lerna run lint",
     "release": "lerna version --conventional-commits --create-release github --yes"
   },
   "dependencies": {
@@ -38,21 +38,21 @@
   "devDependencies": {
     "@commitlint/cli": "^11.0.0",
     "@commitlint/config-conventional": "^11.0.0",
-    "@types/node": "^14.11.2",
-    "@typescript-eslint/eslint-plugin": "^4.2.0",
-    "@typescript-eslint/parser": "^4.2.0",
-    "@vercel/ncc": "^0.24.1",
-    "commitizen": "^4.2.1",
+    "@types/node": "^14.14.14",
+    "@typescript-eslint/eslint-plugin": "^4.11.0",
+    "@typescript-eslint/parser": "^4.11.0",
+    "@vercel/ncc": "^0.26.1",
+    "commitizen": "^4.2.2",
     "cz-conventional-changelog": "^3.3.0",
-    "eslint": "^7.9.0",
-    "eslint-config-prettier": "^6.11.0",
-    "eslint-plugin-prettier": "^3.1.4",
-    "husky": "^4.3.0",
+    "eslint": "^7.16.0",
+    "eslint-config-prettier": "^7.1.0",
+    "eslint-plugin-prettier": "^3.3.0",
+    "husky": "^4.3.6",
     "lerna": "^3.22.1",
-    "lint-staged": "^10.4.0",
-    "prettier": "^2.1.2",
-    "prettier-plugin-package": "^1.0.0",
-    "typescript": "^4.0.3"
+    "lint-staged": "^10.5.3",
+    "prettier": "^2.2.1",
+    "prettier-plugin-package": "^1.3.0",
+    "typescript": "^4.1.3"
   },
   "command": {
     "version": {

diff --git a/packages/awscli-core/package.json b/packages/awscli-core/package.json
@@ -7,10 +7,11 @@
   "dependencies": {
     "@actions/exec": "^1.0.4",
     "@actions/io": "^1.0.2",
-    "@actions/tool-cache": "^1.6.0"
+    "@actions/tool-cache": "^1.6.1"
   },
   "scripts": {
     "build": "rm -f lib/* && tsc",
+    "lint": "eslint '*.ts' --ignore-path ../../.gitignore --fix",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "author": "clowd.haus",

diff --git a/s3_sync/dist/index.js b/s3_sync/dist/index.js
diff --git a/s3_sync/package.json b/s3_sync/package.json
@@ -9,6 +9,7 @@
   },
   "scripts": {
     "compile": "ncc build -m",
+    "lint": "eslint '*.ts' --ignore-path ../.gitignore --fix",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "author": "clowd.haus",