forcedotcom · jfeingold35 · May 28, 2024 · May 24, 2024 · May 24, 2024 · May 28, 2024
diff --git a/.github/workflows/create-github-release.yml b/.github/workflows/create-github-release.yml
@@ -33,5 +33,6 @@ jobs:
           tag_name: v${{ steps.get-version-property.outputs.package_version }}
           name: v${{ steps.get-version-property.outputs.package_version }}
           body: See [release notes](https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/release-notes.html)
+          target_commitish: main
           token: ${{ secrets.SVC_CLI_BOT_GITHUB_TOKEN }}
           make_latest: true
diff --git a/.github/workflows/publish-to-npm.yml b/.github/workflows/publish-to-npm.yml
@@ -15,10 +15,10 @@ jobs:
   verify-candidate-tag:
     runs-on: ubuntu-latest
     steps:
-      # Check out the release branch, and get its head commit as output for later.
+      # Check out the main branch, and get its head commit as output for later.
       - uses: actions/checkout@v4
         with:
-          ref: 'release'
+          ref: 'main'
       - run: echo "COMMIT_ID=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
         id: get-branch-commit
       # Checkout the tag we want to release, and get its head commit as output for later.
@@ -31,7 +31,7 @@ jobs:
       - name: Fail non-matching commits
         if: ${{ steps.get-branch-commit.outputs.COMMIT_ID != steps.get-tag-commit.outputs.COMMIT_ID }}
         run: |
-          echo "Tag commit must match latest commit in release. Branch is ${{ steps.get-branch-commit.outputs.COMMIT_ID }}. Tag is ${{ steps.get-tag-commit.outputs.COMMIT_ID }}"
+          echo "Tag commit must match latest commit in main. Branch is ${{ steps.get-branch-commit.outputs.COMMIT_ID }}. Tag is ${{ steps.get-tag-commit.outputs.COMMIT_ID }}"
           exit 1
       # Verify that the `package.json`'s version property is 4.Y.Z, as we want to restrict the `dev` and `release`
       # branches to publishing v4.x.

diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "4.1.0",
+	"version": "4.2.0",
 	"author": "Salesforce Code Analyzer Team",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {

diff --git a/retire-js/RetireJsVulns.json b/retire-js/RetireJsVulns.json
@@ -1193,8 +1193,7 @@
           "summary": "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs",
           "githubID": "GHSA-27gm-ghr9-4v95",
           "CVE": [
-            "CVE-2020-17480",
-            "CVE-2020-23066"
+            "CVE-2020-17480"
           ]
         },
         "info": [
@@ -1264,8 +1263,7 @@
           "summary": "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs",
           "githubID": "GHSA-27gm-ghr9-4v95",
           "CVE": [
-            "CVE-2020-17480",
-            "CVE-2020-23066"
+            "CVE-2020-17480"
           ]
         },
         "info": [
@@ -6333,6 +6331,52 @@
         "info": [
           "https://github.com/advisories/GHSA-c59h-r6p8-q9wc"
         ]
+      },
+      {
+        "atOrAbove": "13.4.0",
+        "below": "13.5.1",
+        "cwe": [
+          "CWE-444"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "Next.js Vulnerable to HTTP Request Smuggling",
+          "CVE": [
+            "CVE-2024-34350"
+          ],
+          "githubID": "GHSA-77r5-gw3j-2mpf"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-77r5-gw3j-2mpf",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-34350",
+          "https://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5",
+          "https://github.com/vercel/next.js",
+          "https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1"
+        ]
+      },
+      {
+        "atOrAbove": "13.4.0",
+        "below": "14.1.1",
+        "cwe": [
+          "CWE-918"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "Next.js Server-Side Request Forgery in Server Actions",
+          "CVE": [
+            "CVE-2024-34351"
+          ],
+          "githubID": "GHSA-fr5h-rqp8-mj6g"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-fr5h-rqp8-mj6g",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-34351",
+          "https://github.com/vercel/next.js/pull/62561",
+          "https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085",
+          "https://github.com/vercel/next.js"
+        ]
       }
     ],
     "extractors": {

diff --git a/test/lib/actions/RuleListAction.test.ts b/test/lib/actions/RuleListAction.test.ts
@@ -58,7 +58,7 @@ describe("Tests for RuleListAction", () => {
 			await ruleListAction.run(inputs);
 
 			let tableData: Ux.Table.Data[] = display.getLastTableData();
-			expect(tableData).to.have.length(222);
+			expect(tableData).to.have.length(223);
 
 			for (const rowData of tableData) {
 				expect(rowData.engine).to.equal('eslint-lwc');