Bump postcss and @angular-devkit/build-angular in /research-hub-web#404
Conversation
Co-authored-by: Lukas Trombach <19306765+Trombach@users.noreply.github.com>
Expandable page part
Fix search box display on zoom
…-test Feature/google tag manager test
Feature/rsm 2358 update text
Add capabilities navbar link
Change activities label to research stage
Bugfix/update csp
Fix failed start up due to Contentful type changes
Bumps [postcss](https://github.com/postcss/postcss) to 8.4.31 and updates ancestor dependency [@angular-devkit/build-angular](https://github.com/angular/angular-cli). These dependencies need to be updated together. Updates `postcss` from 8.4.5 to 8.4.31 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.4.5...8.4.31) Updates `@angular-devkit/build-angular` from 13.2.3 to 16.2.5 - [Release notes](https://github.com/angular/angular-cli/releases) - [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md) - [Commits](angular/angular-cli@13.2.3...16.2.5) --- updated-dependencies: - dependency-name: postcss dependency-type: indirect - dependency-name: "@angular-devkit/build-angular" dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
|
Dependabot tried to add |
lugn621
force-pushed
the
dependabot/npm_and_yarn/research-hub-web/postcss-and-angular-devkit/build-angular-8.4.31
branch
from
b4fccb2 to
9ea64cf
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 14 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
To fix the problem, explicitly constrain the GITHUB_TOKEN permissions to the minimum needed. This workflow only checks out code and runs Node/Angular tooling; it does not push commits, modify issues, or publish packages. Therefore, it only needs read access to repository contents.
The best fix is to add a permissions: block at the workflow root (top level, alongside name: and on:) so that it applies to all jobs, including run-linters. Set contents: read as suggested by CodeQL. No additional libraries, steps, or functionality changes are required; we are only tightening token scope.
Concretely, in .github/workflows/linting.yml, insert:
permissions:
contents: readafter the name: Lint line and before the on: block. No other files or regions need changes.
| @@ -1,5 +1,8 @@ | ||
| name: Lint | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Trigger the workflow on push or pull request, | ||
| # but only for the main branch |
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, the fix is to add an explicit permissions block that limits the GITHUB_TOKEN to the minimum required scopes. This can be done either at the root of the workflow (applies to all jobs) or within the specific job. Since this workflow only defines a single job, either location is fine; placing it at the job level makes the intent local and clear.
The sentry-release job uses actions/checkout@v2 and a Sentry release action. Both only require read access to repository contents to function; they do not need to push commits or modify issues/PRs. Therefore, the best fix is to add permissions: contents: read to the sentry-release job. Concretely, in .github/workflows/sentry.yml, under jobs: sentry-release:, insert a permissions: section between runs-on: ubuntu-latest and steps:. No imports or additional methods are needed, as this is purely a YAML configuration change.
| @@ -13,6 +13,8 @@ | ||
| sentry-release: | ||
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Check out Git repository |
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, user-controlled data should be sanitized before being included in log messages. For plain-text logs, this usually means stripping carriage-return and newline characters so that a single call to console.log cannot create multiple log lines. It is also helpful to clearly delimit or structure the logged user input.
For this specific case, the best fix with minimal functional impact is to sanitize event.body just for logging. We can create a local variable, e.g. sanitizedBody, where we remove \r and \n from event.body using String.prototype.replace with a regular expression, then log that sanitized value. All subsequent uses of event.body (such as JSON.parse(event.body)) should remain unchanged to preserve existing behavior.
Concretely, in hub-search-proxy/handler.js inside module.exports.search, replace line 53 so that it first derives a sanitized string from event.body and logs that. No new imports or external dependencies are needed.
| @@ -50,10 +50,10 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| const sanitizedBody = String(event.body).replace(/[\r\n]/g, ''); | ||
| console.log(`Received query: ${sanitizedBody}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; | ||
| let from = 0; | ||
| let queryFilters = {}; | ||
| let queryFiltersCount = 0; |
7 participants
Bumps postcss to 8.4.31 and updates ancestor dependency @angular-devkit/build-angular. These dependencies need to be updated together.
Updates
postcssfrom 8.4.5 to 8.4.31Release notes
Sourced from postcss's releases.
... (truncated)
Changelog
Sourced from postcss's changelog.
... (truncated)
Commits
90208deRelease 8.4.31 version58cc860Fix carrier return parsing4fff8e4Improve pnpm test outputcd43ed1Update dependenciescaa916bUpdate dependencies8972f76Typo11a5286Typo45c5501Release 8.4.30 versionbc3c341Update linterb2be58aMerge pull request #1881 from romainmenke/improve-sourcemap-performance--phil...Updates
@angular-devkit/build-angularfrom 13.2.3 to 16.2.5Release notes
Sourced from
@angular-devkit/build-angular's releases.... (truncated)
Changelog
Sourced from
@angular-devkit/build-angular's changelog.... (truncated)
Commits
b53d5efrelease: cut the v16.2.5 release493bd39fix(@angular-devkit/build-angular): update dependency postcss to v8.4.310201061test(@angular/cli): remove Safari 15 test9333581fix(@angular-devkit/build-angular): do not print `Angular is running in devel...660d849release: cut the v16.2.4 release5dc7fb1fix(@schematics/angular): update@angular/cliversion specifier to use^ae41ab5refactor(@angular-devkit/build-angular): typo in ignore list plugin function64b3586release: cut the v16.2.3 releasef1195d0fix(@ngtools/webpack): fix recursion in webpack resolve1f9caa9refactor(@schematics/angular): remove empty space in app.config.ts.templateYou can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.