Bump minimist from 1.2.5 to 1.2.7 in /research-hub-web#358
Open
dependabot[bot] wants to merge 2111 commits intomasterfrom
Open
Bump minimist from 1.2.5 to 1.2.7 in /research-hub-web#358dependabot[bot] wants to merge 2111 commits intomasterfrom
dependabot[bot] wants to merge 2111 commits intomasterfrom
Conversation
Bumps [cypress-commands](https://github.com/Lakitna/cypress-commands) from 1.1.0 to 2.0.1. - [Release notes](https://github.com/Lakitna/cypress-commands/releases) - [Changelog](https://github.com/Lakitna/cypress-commands/blob/develop/CHANGELOG.md) - [Commits](Lakitna/cypress-commands@1.1.0...2.0.1) --- updated-dependencies: - dependency-name: cypress-commands dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
* generated new components * first version of contact card * changed card title color * fixed elevation * first version of org unit card * first version of document card * moved cards module and components * article simplification * changed mouse pointer on card * minor change to article page * Revert "minor change to article page" This reverts commit 4c66bf8. * case-studys page refactor * fixed width cards, minor article change * changed equipment page * changes to events * changed fundings page * changes to service page * changes to software page * changes to subhubs and standard card * set image height * removed app-cards from featured component * removed old cards components * fixed featured layout * better spacing on featured component * fixed lock icon size * fixed article layout * fixed mobile card width * fixed clickable cards * generated new components * first version of contact card * changed card title color * fixed elevation * first version of org unit card * first version of document card * moved cards module and components * article simplification * changed mouse pointer on card * minor change to article page * Revert "minor change to article page" This reverts commit 4c66bf8. * case-studys page refactor * fixed width cards, minor article change * changed equipment page * changes to events * changed fundings page * changes to service page * changes to software page * changes to subhubs and standard card * set image height * removed app-cards from featured component * removed old cards components * fixed featured layout * better spacing on featured component * fixed lock icon size * fixed article layout * fixed mobile card width * fixed clickable cards * generated new components * first version of contact card * changed card title color * fixed elevation * first version of org unit card * first version of document card * moved cards module and components * article simplification * changed mouse pointer on card * minor change to article page * Revert "minor change to article page" This reverts commit 4c66bf8. * case-studys page refactor * fixed width cards, minor article change * changed equipment page * changes to events * changed fundings page * changes to service page * changes to software page * changes to subhubs and standard card * set image height * removed app-cards from featured component * removed old cards components * fixed featured layout * better spacing on featured component * fixed lock icon size * fixed article layout * fixed mobile card width * fixed clickable cards * generated new components * first version of contact card * changed card title color * fixed elevation * first version of org unit card * first version of document card * moved cards module and components * changed mouse pointer on card * minor change to article page * Revert "minor change to article page" This reverts commit 4c66bf8. * fixed width cards, minor article change * fixed clickable cards * minor fixes * article layout fixes * fixes for case studies layout * more layout fixes * fixed unit tests * fix for equipment table * upgraded e2e test with cypress types, fixed e2e tests * fixed inconsistent bottom margin * mat-icon white on subhub child card * added missing case study references * fixed 3 column layout being too narrow * fixed you-might-be-interested-in id * fixed featured layout * fixed missing funding purpose * fixed body media error * fix nulls error on subhub pages * fixed title underline * Revert "fixed title underline" This reverts commit d92ba98. * fixed subhub child card underline Co-authored-by: Rose McColl <rosemccoll@hotmail.com>
…ypress-commands-2.0.1
…search-hub-web/cypress-commands-2.0.1 Bump cypress-commands from 1.1.0 to 2.0.1 in /research-hub-web
* initial commit for content graph * added resolver and adjustments, highlight node on hover * update lockfile version * minor fixes for null checks * added auth guard to graph route * first version of node info box * added node highlighting * improved details list and highlighting * first version of graph legend in drawer * layout fixes * layout improvements * renamed graph-legend to graph-filter * added legend, added dev env * added graph link to footer * fixed capitalisation * some fixes for unit tests * more fixes for tests * exclude GraphFilter test for now * added graph API to CSP headers (dev) * renamed graph-container * refactored graph into component * tidy up field order * changed loading behaviour, removed route resolver * fixed canvas width, colour changes * fixed color legend and search box * minor improvements * many UI improvements, added contentful link to env files * updated test and prod environment files with graph api url * some fixes for unit tests * more fixes for unit tests * minor improvements for node details UI * added graph api to csp headers in cloudfront functions * rebuild package-lock.json * added esbuild dep
* Add token references for CI build * Add missing package * Fix npm shrinkwrap issue * Fix wrong org id * Update readme * Update documentation * Add indentation and minor fixes to README * FIx minor heading issue with readme Co-authored-by: Lukas Trombach <19306765+Trombach@users.noreply.github.com>
Co-authored-by: rosemcc <rosemccoll@hotmail.com> Co-authored-by: Lukas Trombach <19306765+Trombach@users.noreply.github.com>
* chore: version update * CHORE: update versions * HOTFIX * Chore: version changes Co-authored-by: Rose <31844476+rosemcc@users.noreply.github.com> Co-authored-by: rosemcc <rosemccoll@hotmail.com> Co-authored-by: Lukas Trombach <lukas.trombach@auckland.ac.nz> Co-authored-by: Lukas Trombach <19306765+Trombach@users.noreply.github.com> Co-authored-by: etan221 <eric.tan@auckland.ac.nz>
Change feedback button text
dependabot
bot
added
the
dependencies
* add initial modules and components * update search lambda * update and add new graphQL queries * add capability type to standard card * add components to routes * add capability list * reuse article default banner for capability card for now * add capability display name to pipe * first version of capability page * make tests runnable * add capability page type to search types * add navbar link to subhub * add capability list unit test * make e2e tests runnable * fix unit test * fix unit tests * add capability unit test * decapitalised navbar link * added new card background for capability * add capability e2e tests and fixture * fix capability not showing in search results * fix e2e test * add capability type to content graph * remove navbar link to be added later * fix standard card default image loading * lowercase sign in/out * move support materials to the top * fix unit test * fix navbar e2e test * move contacts to the top * minor fix for standard images * simplify standard card component * add comment explaining image height
update package versions
Bumps [minimist](https://github.com/minimistjs/minimist) from 1.2.5 to 1.2.7. - [Release notes](https://github.com/minimistjs/minimist/releases) - [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md) - [Commits](minimistjs/minimist@v1.2.5...v1.2.7) --- updated-dependencies: - dependency-name: minimist dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/research-hub-web/minimist-1.2.7
branch
from
6a30f4b to
84661c8
Compare
lugn621
force-pushed
the
dependabot/npm_and_yarn/research-hub-web/minimist-1.2.7
branch
from
84661c8 to
1e92a80
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+15
to
+36
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 14 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, the fix is to add an explicit permissions block that grants only the minimal required scopes for this workflow. Since this workflow just checks out the code and runs linters, it only needs read access to repository contents.
The best minimal fix without changing functionality is to add permissions: contents: read at the workflow root level (right after name: Lint), so all jobs inherit these read-only contents permissions. No additional scopes (like pull-requests: write or issues: write) appear necessary from the shown steps. This change is limited to .github/workflows/linting.yml, and no imports or method definitions are needed because this is pure YAML configuration.
Concretely, in .github/workflows/linting.yml, insert:
permissions:
contents: readbetween the existing name: Lint line and the on: block. This will satisfy the CodeQL rule and enforce least-privilege access for GITHUB_TOKEN in this workflow.
Suggested changeset
1
.github/workflows/linting.yml
| @@ -1,4 +1,6 @@ | ||
| name: Lint | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Trigger the workflow on push or pull request, |
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines
+14
to
+33
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, the fix is to add an explicit permissions block to the workflow or to the specific job, restricting the GITHUB_TOKEN to the least privileges needed. If the workflow only needs to read code (and not push, create releases, or modify issues/PRs), contents: read is an appropriate minimal starting point.
For this specific workflow in .github/workflows/sentry.yml, the safest change without altering functionality is to add a job‑level permissions block under sentry-release. The Sentry action communicates with Sentry via SENTRY_AUTH_TOKEN, so the GitHub token likely does not need write scopes. We will therefore set:
permissions:
contents: readThis will limit the GITHUB_TOKEN used in the job to read‑only repository contents. No additional methods, imports, or dependencies are needed. The change should be added immediately under the runs-on: ubuntu-latest line (line 15–16 region) in the sentry-release job.
Suggested changeset
1
.github/workflows/sentry.yml
| @@ -13,6 +13,8 @@ | ||
| sentry-release: | ||
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Check out Git repository |
Copilot is powered by AI and may make mistakes. Always verify output.
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, to fix log injection issues, sanitize any user-controlled data before writing it to logs. For plain-text logs, this typically means removing or normalizing newline (\n, \r) and other control characters, and optionally truncating very long inputs. The functional behavior of the application should not change; only how data is represented in logs should be adjusted.
For this specific case in hub-search-proxy/handler.js, we should avoid logging event.body as-is. The best minimal fix is:
- Derive a sanitized representation of
event.bodyfor logging only:- If it is a string, remove
\rand\ncharacters. - Optionally, truncate to a reasonable length (e.g., 1000 characters) to avoid log flooding, but truncation is not strictly required for injection prevention.
- If it is a string, remove
- Use that sanitized value in the
console.logstatement instead of the rawevent.body. - Keep the rest of the function unchanged, particularly the
JSON.parse(event.body);line, to avoid impacting request handling.
Concretely:
- In
module.exports.searchnear line 53 inhub-search-proxy/handler.js, replace the directconsole.log(Received query: ${event.body});call with a small block that builds a sanitized string (e.g.,sanitizedBody) by callingString(event.body).replace(/[\r\n]/g, '')and then logs that sanitized value. No new imports or external dependencies are needed.
Suggested changeset
1
hub-search-proxy/handler.js
| @@ -50,7 +50,8 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| const sanitizedBody = String(event.body).replace(/[\r\n]/g, ''); | ||
| console.log(`Received query: ${sanitizedBody}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; |
Copilot is powered by AI and may make mistakes. Always verify output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps minimist from 1.2.5 to 1.2.7.
Changelog
Sourced from minimist's changelog.
Commits
c590d75v1.2.70ebf4eb[meta] addauto-changeloge115b63[actions] add reusable workflows01fc23f[meta] addsafe-publish-latestf58745b[eslint] add eslint; rules to enable later are warnings228ae93[Tests] addaudinposttest236f4a0[readme] rename and add badgesab03356[Dev Deps] switch fromcoverttonyc49c5f9f[Dev Deps] updatecovert,tape; remove unnecessarytap783a49b[meta] create FUNDING.yml; addfundingin package.jsonMaintainer changes
This version was pushed to npm by ljharb, a new releaser for minimist since your current version.
You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.