Bump @babel/traverse from 7.16.10 to 7.23.2 in /subhub-link-checker#411
Bump @babel/traverse from 7.16.10 to 7.23.2 in /subhub-link-checker#411dependabot[bot] wants to merge 2137 commits intomasterfrom
Conversation
Co-authored-by: Lukas Trombach <19306765+Trombach@users.noreply.github.com>
Expandable page part
…-test Feature/google tag manager test
Feature/rsm 2358 update text
Add capabilities navbar link
Change activities label to research stage
Bugfix/update csp
Fix failed start up due to Contentful type changes
Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.16.10 to 7.23.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse) --- updated-dependencies: - dependency-name: "@babel/traverse" dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
the
dependencies
lugn621
force-pushed
the
dependabot/npm_and_yarn/subhub-link-checker/babel/traverse-7.23.2
branch
from
d647d17 to
96dcce5
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 14 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, fix this by explicitly specifying a minimal permissions block for the workflow or for the specific job. Since this workflow only needs to check out code and run linters, it only requires read access to repository contents; it does not need to write to the repo, issues, or pull requests.
The best fix here is to add a permissions block at the root level of the workflow (applies to all jobs) or directly under the run-linters job. To align with the CodeQL suggestion and least privilege, set contents: read. No other permissions are required for checkout and local linting. The smallest, clearest change is to add:
permissions:
contents: readimmediately after the name: Lint line (line 1). This documents the workflow’s needs and ensures the GITHUB_TOKEN remains restricted even if repo defaults change. No imports or additional methods are needed.
| @@ -1,4 +1,6 @@ | ||
| name: Lint | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Trigger the workflow on push or pull request, |
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, the fix is to add an explicit permissions block that grants only the scopes required by the workflow. Since this workflow just checks out the repository and calls Sentry’s release action (using Sentry’s own auth token), it only needs read access to repository contents. A minimal permissions block with contents: read is sufficient.
The best way to fix this without changing functionality is to add a permissions block at the job level for sentry-release in .github/workflows/sentry.yml. This keeps the change tightly scoped and documents that this job only needs read access. Insert the block directly under runs-on: ubuntu-latest (around line 15–16), for example:
jobs:
sentry-release:
name: Create Sentry Release
runs-on: ubuntu-latest
permissions:
contents: readNo imports or additional methods are needed because this is just configuration in a GitHub Actions workflow file.
| @@ -13,6 +13,8 @@ | ||
| sentry-release: | ||
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Check out Git repository |
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, untrusted input should be sanitized before being written to logs. For plain-text logs, the primary concern is removing or neutralizing newline and carriage-return characters so an attacker cannot break the log format and inject fake entries; it can also be useful to replace other non-printable characters.
The best targeted fix here is to sanitize event.body before including it in the log message on line 53, without changing the behavior of the search logic. We can do this inline by deriving a new sanitizedBody string from event.body that strips \r and \n and clearly labels it as user input. This keeps functionality intact: the request handling and parsing (line 54 onward) remain unchanged, because we only alter what is logged, not what is processed. A simple, dependency-free approach is to use String.prototype.replace with a regular expression to remove \r and \n, as suggested in the background section.
Concretely, in hub-search-proxy/handler.js:
- Within
module.exports.search, replace the existingconsole.logon line 53 with:- A definition of
const sanitizedBody = String(event.body).replace(/[\r\n]/g, ' '); - A new log call that uses
sanitizedBodyand clearly labels it as coming from the request body.
No new imports or helpers are required; all changes are local to this function.
- A definition of
| @@ -50,10 +50,10 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| const sanitizedBody = String(event.body).replace(/[\r\n]/g, ' '); | ||
| console.log(`Received query body (sanitized): ${sanitizedBody}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; | ||
| let from = 0; | ||
| let queryFilters = {}; | ||
| let queryFiltersCount = 0; |
7 participants
Bumps @babel/traverse from 7.16.10 to 7.23.2.
Release notes
Sourced from
@babel/traverse's releases.... (truncated)
Changelog
Sourced from
@babel/traverse's changelog.... (truncated)
Commits
b4b9942v7.23.2b13376bOnly evaluate own String/Number/Math methods (#16033)ca58ec1v7.23.00f333daAddcreateImportExpressionsparser option (#15682)3744545Fix lintingc7e6806Addt.buildUndefinedNode(#15893)38ee8b4Expand evaluation of global built-ins in@babel/traverse(#15797)9f3dfd9v7.22.203ed28b2Fully support||and&&inpluginToggleBooleanFlag(#15961)77b0d73v7.22.19Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.