Bump aws-sdk from 2.1087.0 to 2.1528.0 in /hub-search-proxy#448
Bump aws-sdk from 2.1087.0 to 2.1528.0 in /hub-search-proxy#448dependabot[bot] wants to merge 2154 commits intomasterfrom
Conversation
Login menu update
Fix failed start up due to Contentful type changes
…search-stage-url RSM-3036: stage: replace search with url
…rsion Update linting.yml
Feature/rsm 3250 search logic
Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.1087.0 to 2.1528.0. - [Release notes](https://github.com/aws/aws-sdk-js/releases) - [Commits](aws/aws-sdk-js@v2.1087.0...v2.1528.0) --- updated-dependencies: - dependency-name: aws-sdk dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
|
Dependabot tried to add |
lugn621
force-pushed
the
dependabot/npm_and_yarn/hub-search-proxy/aws-sdk-2.1528.0
branch
from
70963d1 to
0f8932e
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 18 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci --force | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, the fix is to explicitly set a permissions block that grants only the minimal scopes required for this linting job. Since the job only checks out code and installs/runs Node-based tools, it only needs read access to repository contents.
The best minimally invasive fix is to add a permissions block at the workflow root (top level, alongside name and on) so that it applies to all jobs. This avoids touching the job structure or steps and documents that the workflow only needs read access. Concretely, in .github/workflows/linting.yml, insert:
permissions:
contents: readbetween the existing name: Lint and on: keys. No imports or other changes are needed, and existing functionality is unchanged because all current operations are compatible with read-only contents access.
| @@ -1,5 +1,8 @@ | ||
| name: Lint | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Trigger the workflow on push or pull request, | ||
| # but only for the main branch |
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, the fix is to add an explicit permissions block either at the workflow root (applies to all jobs) or inside the specific job, restricting GITHUB_TOKEN to the least privileges required. For this workflow, the actions used (actions/checkout and getsentry/action-release) need read access to the repository contents to check out the code and to associate releases/commits, but do not require write access to the repository itself. Therefore, contents: read is an appropriate minimal permission.
The single best fix without changing existing functionality is to add a permissions block at the workflow root, just under the name: line and before the on: key, setting contents: read. This will apply to the sentry-release job (and any future jobs without their own permissions block), ensuring the GITHUB_TOKEN is restricted. No imports or additional definitions are needed; this is a purely declarative GitHub Actions YAML change. Concretely, edit .github/workflows/sentry.yml to insert:
permissions:
contents: readafter line 1 (name: Sentry Release).
| @@ -1,4 +1,6 @@ | ||
| name: Sentry Release | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, the fix is to sanitize user-controlled data before logging it, especially by removing or neutralizing newline (\n) and carriage return (\r) characters that can break log structure. Logging should also clearly delimit user input.
For this specific case, the best minimal fix is:
- Create a sanitized version of
event.bodywhere\nand\rare stripped (or otherwise made safe). - Use that sanitized value in the log message instead of the raw
event.body. - Keep the rest of the logic unchanged so that
JSON.parse(event.body)still operates on the original event data (no behavioral changes for request handling).
Concretely, in hub-search-proxy/handler.js, inside module.exports.search, just before logging, create a local variable (e.g., sanitizedBody) that:
- Coerces
event.bodyto string (to be robust if it isundefinedor non-string). - Replaces all
\rand\ncharacters with empty strings usingString.prototype.replaceand a suitable regular expression.
Then change theconsole.logto use this sanitized variable. No external dependencies are needed; all can be done with built-in string methods.
| @@ -50,7 +50,8 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| const sanitizedBody = String(event.body).replace(/[\r\n]/g, ''); | ||
| console.log(`Received query: ${sanitizedBody}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; |
7 participants
Bumps aws-sdk from 2.1087.0 to 2.1528.0.
Release notes
Sourced from aws-sdk's releases.
... (truncated)
Commits
669f942Updates SDK to v2.1528.0bcf7da5docs: update readme to change maintenance announcement to early 2024 (#4564)f09e1bfUpdates SDK to v2.1527.085c94d5Updates SDK to v2.1526.0c93f082Updates SDK documentationdd03b38Updates SDK to v2.1525.0a4346deUpdates SDK to v2.1524.023b1e6cUpdates SDK to v2.1523.042a1c02Updates SDK to v2.1522.01984f89chore(console): skip neptunegraph from console repl (#4555)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)