chore(deps): semantic-release [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semantic-release	15.13.30 -> 17.2.3

GitHub Vulnerability Alerts

CVE-2020-26226

Impact

Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL.

Patches

Fixed in v17.2.3

Workarounds

Secrets that do not contain characters that become encoded when included in a URL are already masked properly.

---

Release Notes

semantic-release/semantic-release (semantic-release)

v17.2.3

Compare Source

Bug Fixes

• mask secrets when characters get uri encoded (ca90b34)

v17.2.2

Compare Source

Bug Fixes

• don't parse port as part of the path in repository URLs (#​1671) (77a75f0)
• use valid git credentials when multiple are provided (#​1669) (2bf3771)

v17.2.1

Compare Source

Reverts

• Revert "feat: throw an Error if package.json has duplicate "repository" key (#​1656)" (3abcbaf), closes #​1656 #​1657

v17.2.0

Compare Source

Features

• throw an Error if package.json has duplicate "repository" key (#​1656) (b8fb35c)

v17.1.2

Compare Source

Bug Fixes

• add logging for when ssh falls back to http (#​1639) (b4c5d0a)

v17.1.1

Compare Source

Bug Fixes

• use correct ci branch context (#​1521) (0f0c650)

v17.1.0

Compare Source

Features

• bitbucket-basic-auth: support for bitbucket server basic auth (#​1578) (a465801)

v17.0.8

Compare Source

Bug Fixes

• prevent false positive secret replacement for Golang projects (#​1562) (eed1d3c)

v17.0.7

Compare Source

Bug Fixes

• package: update marked to version 1.0.0 (#​1534) (d64db31)

v17.0.6

Compare Source

Bug Fixes

• adapt for semver to version 7.3.2 (part II) (#​1530) (431d571)

v17.0.5

Compare Source

Bug Fixes

• adapt for semver to version 7.3.2 (0363790)

v17.0.4

Compare Source

Bug Fixes

• add repositoryUrl in logs (55be0ba)

v17.0.3

Compare Source

Bug Fixes

• pass a branch name to getGitAuthUrl (e7bede1)

v17.0.2

Compare Source

Bug Fixes

• package: update marked-terminal to version 4.0.0 (8ce2d6e)

v17.0.1

Compare Source

Bug Fixes

• package: update @​semantic-release/commit-analyzer to version 8.0.0 (45695b9)
• package: update @​semantic-release/github to version 7.0.0 (c48bd3a)
• package: update @​semantic-release/npm to version 7.0.0 (f2b5826)
• package: update @​semantic-release/release-notes-generator to version 9.0.0 (3c7b114)

v17.0.0

Compare Source

BREAKING CHANGES

• Require Node.js >= 10.18

v16.0.4

Compare Source

Bug Fixes

• correct error when remote repository has no branches (c6b1076)

v16.0.3

Compare Source

Bug Fixes

• use --no-verify when testing the Git permissions (b54b20d)

v16.0.2

Compare Source

Bug Fixes

• fetch tags on repo cached by the CI (6b5b02e)

v16.0.1

Compare Source

Bug Fixes

• package: update env-ci to version 5.0.0 (3739ab5)

v16.0.0

Compare Source

BREAKING CHANGES

• ⚠️ For v16.0.0@​beta users only:

  In v16, a JSON object stored in a Git note is used to keep track of the channels on which a version has been released, the @{channel} suffix is no longer necessary.

  The tags formatted as v{version}@​{channel} will now be ignored. If you have releases using this format you will have to upgrade them:

  • Find all the versions that have been released on a branch other than the default one by searching for all tags formatted as v{version}@​{channel}
  • For each of those version:
    • Create a tag without the {@​channel} if none doesn't already exists
    • Add a Git note to the tag without the {@​channel} containing the channels on which the version was released formatted as {"channels":["channel1","channel2"]} and using null for the default channel (for example.{"channels":[null,"channel1","channel2"]})
    • Push the tags and notes
    • Update the GitHub releases that refer to a tag formatted as v{version}@​{channel} to use the tag without it
    • Delete the tags formatted as v{version}@​{channel}

• Require Node.js >= 10.13

• Git CLI version 2.7.1 or higher is now required: The --merge option of the git tag command has been added in Git version 2.7.1 and is now used by semantic-release

• Regexp are not supported anymore for property matching in the releaseRules option.

  Regex are replaced by globs. For example /core-.*/ should be changed to 'core-*'.

• The branch option has been removed in favor of branches

• The new branches option expect either an Array or a single branch definition. To migrate your configuration:

  • If you want to publish package from multiple branches, please see the configuration documentation
  • If you use the default configuration and want to publish only from master: nothing to change
  • If you use the branch configuration and want to publish only from one branch: replace branch with branches ("branch": "my-release-branch" => "branches": "my-release-branch")

Features

• allow addChannel plugins to return false in order to signify no release was done (e1c7269)
• allow publish plugins to return false in order to signify no release was done (47484f5)
• allow to release any version on a branch if up to date with next branch (916c268)
• support multiple branches and distribution channels (7b40524)
• use Git notes to store the channels on which a version has been released (b2c1b2c)
• package: update @​semantic-release/commit-analyzer to version 7.0.0 (e63e753)

Performance Improvements

• use git tag --merge <branch> to filter tags present in a branch history (cffe9a8)

Bug Fixes

• add channel to publish success log (5744c5e)
• add a flag indicate which branch is the main one (2caafba)
• Add helpful detail to ERELEASEBRANCHES error message (#​1188) (37bcc9e)
• allow multiple branches with same channel (63f51ae)
• allow to set ci option via API and config file (2faff26)
• call getTagHead only when necessary (de77a79)
• call success plugin only once for releases added to a channel (9a023b4)
• correct log when adding channel to tag (61665be)
• correctly determine next pre-release version (0457a07)
• correctly determine release to add to a channel (aec96c7)
• correctly handle skipped releases (89663d3)
• display erroring git commands properly (1edae67)
• do not call addChannelfor 2 merged branches configured with the same channel (4aad9cd)
• do not create tags in dry-run mode for released to add to a channel (97748c5)
• fetch all release branches on CI (b729183)
• fix branch type regexp to handle version with multiple digits (52ca0b3)
• fix maintenance branch regex (a022996)
• fix range regexp to handle version with multiple digits (9a04e64)
• handle branch properties set to false (751a5f1)
• harmonize parameters passed to getError (f96c660)
• ignore lasst release only if pre-release on the same channel as current branch (990e85f)
• increase next version on prerelease branch based on highest commit type (9ecc7a3)
• look also for previous prerelease versions to determine the next one (9772563)
• modify fetch function to handle CircleCI specifics (cbef9d1)
• on maintenance branch add to channel only version >= to start range (c22ae17)
• remove confusing logs when searching for releases to add to a channel (162b4b9)
• remove hack to workaround GitHub Rebase & Merge (844e0b0)
• remove unnecessary await (9a1af4d)
• simplify get-tags algorithm (00420a8)
• throws error if the commit associated with a tag cannot be found (1317348)
• update plugin versions (0785a84)
• update plugins dependencies (9890584)
• verify is branch is up to date by comparing remote and local HEAD (a8747c4)
• remove unnecessary branch parameter from push function (968b996)
• revert to the correct refspec in fetch function (9948a74)
• update plugins dependencies (73f0c77)
• repositoryUrl: on beta repositoryUrl needs auth for pre-release flows (#​1186) (3610422)

v15.14.0

Compare Source

Features

• pass envi-ci values to plugins context (a8c747d)

v15.13.32

Compare Source

Bug Fixes

• correctly display command that errored out in logs (fc7205d)

v15.13.31

Compare Source

Bug Fixes

• package: update yargs to version 15.0.1 (2c13136)

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.