Bump @babel/traverse from 7.16.10 to 7.23.2 in /research-hub-web#410
Bump @babel/traverse from 7.16.10 to 7.23.2 in /research-hub-web#410dependabot[bot] wants to merge 2148 commits intomasterfrom
Conversation
Expandable page part
Add capabilities navbar link
Change activities label to research stage
Bugfix/update csp
Fix failed start up due to Contentful type changes
dependabot
bot
added
the
dependencies
|
Dependabot tried to add |
…search-stage-url RSM-3036: stage: replace search with url
…rsion Update linting.yml
Feature/rsm 3250 search logic
Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.16.10 to 7.23.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse) --- updated-dependencies: - dependency-name: "@babel/traverse" dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/research-hub-web/babel/traverse-7.23.2
branch
from
672fd86 to
407f99b
Compare
lugn621
force-pushed
the
dependabot/npm_and_yarn/research-hub-web/babel/traverse-7.23.2
branch
from
407f99b to
d377031
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 18 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci --force | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, the fix is to explicitly set permissions for the workflow (or for the individual job) so that GITHUB_TOKEN has only the minimal scopes required. For this linting job, it only needs to read the repository contents to check out the code; no writes to the repository or other resources appear necessary.
The best minimal change is to add a workflow-level permissions block just after the name: line and before on: in .github/workflows/linting.yml. This will apply to all jobs in this workflow, including run-linters, without changing any existing logic. The block should grant contents: read, which is sufficient for actions/checkout and for running local npm and ng lint commands. No new imports or additional methods are required, as this is purely a YAML configuration change.
Concretely, in .github/workflows/linting.yml, insert:
permissions:
contents: readbetween line 1 (name: Lint) and line 3 (on:), preserving indentation as shown.
| @@ -1,4 +1,6 @@ | ||
| name: Lint | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Trigger the workflow on push or pull request, |
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, the fix is to add an explicit permissions block that scopes GITHUB_TOKEN to the least privileges needed. This can be done at the workflow root (applies to all jobs) or inside the specific job. Here we only have one job, so either level is fine; using the workflow root is slightly clearer and matches the CodeQL suggestion of a minimal starting point contents: read.
The best minimal change, without altering functionality, is to add a permissions block near the top of .github/workflows/sentry.yml, after the name: (or on:) key. The job uses actions/checkout, which requires contents: read at minimum. The Sentry release action uses an auth token in env and does not need GITHUB_TOKEN write scopes for GitHub resources based on the provided snippet. Therefore, we can safely restrict the token to contents: read. No additional methods, imports, or external dependencies are needed; this is a pure YAML configuration change in .github/workflows/sentry.yml.
| @@ -1,5 +1,8 @@ | ||
| name: Sentry Release | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: |
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, to fix log injection when logging user-controlled data, sanitize the data before logging. For plain-text logs, this typically means removing or replacing line breaks (\n, \r) and optionally clearly marking the portion that comes from user input. For HTML logs, HTML-encode the value before logging.
In this file, the best minimal-impact fix is to avoid logging event.body directly. Instead, derive a sanitized version—e.g., convert it to a string and strip carriage returns and newlines—then log that sanitized value. This preserves existing functionality (a human-readable record of the received body) while preventing an attacker from injecting additional log lines. Concretely, change line 53 so that it logs a sanitized version, such as String(event.body).replace(/[\r\n]/g, ''). No additional imports or helpers are needed; a small inline transformation suffices.
Only hub-search-proxy/handler.js needs editing, and only the logging line within module.exports.search at line 53.
| @@ -50,7 +50,7 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| console.log(`Received query: ${String(event.body).replace(/[\r\n]/g, '')}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; |
7 participants
Bumps @babel/traverse from 7.16.10 to 7.23.2.
Release notes
Sourced from
@babel/traverse's releases.... (truncated)
Changelog
Sourced from
@babel/traverse's changelog.... (truncated)
Commits
b4b9942v7.23.2b13376bOnly evaluate own String/Number/Math methods (#16033)ca58ec1v7.23.00f333daAddcreateImportExpressionsparser option (#15682)3744545Fix lintingc7e6806Addt.buildUndefinedNode(#15893)38ee8b4Expand evaluation of global built-ins in@babel/traverse(#15797)9f3dfd9v7.22.203ed28b2Fully support||and&&inpluginToggleBooleanFlag(#15961)77b0d73v7.22.19Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.