Skip to content

Update dependency isomorphic-git to v1 [SECURITY] #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency isomorphic-git to v1 [SECURITY] #71

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Mar 7, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
isomorphic-git (source) ^0.51.6 -> ^1.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-30483

isomorphic-git before 1.8.2 allows Directory Traversal via a crafted repository.

Release Notes

isomorphic-git/isomorphic-git

v1.8.2

Compare Source

Bug Fixes

v1.8.1

Compare Source

Bug Fixes

v1.8.0

Compare Source

Features

v1.7.8

Compare Source

Bug Fixes
  • CLI: isogit CLI throws "Error [ERR_REQUIRE_ESM]: Must use import to load ES Module" in Node 13+ (f2e3805)

v1.7.7

Compare Source

Bug Fixes
  • push: "Cannot read property 'packfiles' of undefined" error (#​1234) (629b4e1)

v1.7.6

Compare Source

Bug Fixes
  • fetch: fetching a commit hash with singleBranch: true (#​1225) (e66a6c2)

v1.7.5

Compare Source

Bug Fixes

v1.7.4

Compare Source

Bug Fixes
  • getRemoteInfo, getRemoteInfo2: throw UnknownTransportError for SSH urls (#​1199) (02045f6)

v1.7.3

Compare Source

Bug Fixes
  • push: fix regression introduced in v1.4.4 that broke pushing repos with submodules (#​1196) (55f2ade)

v1.7.2

Compare Source

Performance Improvements

v1.7.1

Compare Source

Bug Fixes

v1.7.0

Compare Source

Features

v1.6.0

Compare Source

Features
  • Added 'listServerRefs' and 'getRemoteInfo2' commands (#​1169) (b03f261)

v1.5.0

Compare Source

Features

v1.4.4

Compare Source

Performance Improvements

v1.4.3

Compare Source

Performance Improvements
  • push: don't send any objects if commit is already on remote (#​1137) (47b89c0)

v1.4.2

Compare Source

Performance Improvements

v1.4.1

Compare Source

Performance Improvements

v1.4.0

Compare Source

Features
  • include data.preview and data.response on all HttpErrors not just on SmartHttpErrors (#​1115) (9d3f0de)

v1.3.2

Compare Source

Bug Fixes

v1.3.1

Compare Source

Bug Fixes

v1.3.0

Compare Source

Features

v1.2.0

Compare Source

Features

v1.1.6

Compare Source

Bug Fixes
  • readObject: should return TreeObject not {entries: TreeObject} (#​1081) (0c1ec5a)

v1.1.5

Compare Source

Bug Fixes

v1.1.4

Compare Source

Bug Fixes

v1.1.3

Compare Source

Bug Fixes
  • TypeScript: remove 'AbortController' because it creates an implicit "DOM" lib dependency (7a7276a)

v1.1.2

Compare Source

Bug Fixes
  • remove undocumented 'debug' parameter that is upsetting TypeScript (b0b7b57)

v1.1.1

Compare Source

Bug Fixes
  • correct TS definition for http (1a4a8f8)

v1.1.0

Compare Source

Features

v1.0.0

Compare Source

I recommend you read the NICE RELEASE NOTES first.

These are the auto-generated release notes, which are exhaustive if not pretty.

1.0.0 (2020-02-26)

Bug Fixes
  • checkout: don't treat modified files as conflicted unless the file would actually change (#​1018) (321618f)
  • fetch, push: recognize more git config settings (#​1033) (a4e5aee)
  • types: tweak onAuth typings + add http.d.ts (#​1053) (7b05b3d)
  • fetch without a 'ref' param should still work if HEAD points to a non-existing branch (#​1055) (429fde1)
  • isogit CLI had wrong import path to ./http/node (ec1dce0)
  • Merge branch 'master' into beta (#​872) (b9e5db4)
  • pathological graph traversal in findMergeBase (#​1057) (8e53088)
  • tweak error types (#​1061) (424255b)
  • update Web Worker example (32b64ca)
  • use .js extension for http/web UMD build (4a6a1c2)
chore
Features
BREAKING CHANGES
  • E has been removed and replaced by Errors. The errors are typed so if you use an instanceof comparison in the catch statement, auto-completion on their .data property works. There are fewer errors total, they have shorter names, and thus the resulting gzip bundle is smaller despite the addition of 28 new classes. Lastly, the distinction between Fail and Error has been removed since it was subjective.

Here's the complete breakdown of which Errors classes replaced which E codes:

  • AlreadyExistsError replaces AddingRemoteWouldOverwrite, NoteAlreadyExistsError, RefExistsError
  • AmbiguousError replaces AmbiguousShortOid
  • CheckoutConflictError replaces CheckoutConflictError
  • CommitNotFetchedError replaces CommitNotFetchedError
  • EmptyServerResponseError replaces EmptyServerResponseFail
  • FastForwardError replaces FastForwardFail
  • GitPushError replaces GitPushError
  • HttpError replaces HTTPError
  • InternalError replaces InternalFail
  • InvalidFilepathError replaces DirectorySeparatorsError
  • InvalidOidError replaces CorruptShallowOidFail, NotAnOidFail
  • InvalidRefNameError replaces InvalidRefNameError
  • MaxDepthError replaces MaxSearchDepthExceeded
  • MergeNotSupportedError replaces MergeNotSupportedFail
  • MissingNameError replaces MissingAuthorError, MissingCommitterError, MissingTaggerError
  • MissingParameterError replaces MissingRequiredParameterError
  • NoRefspecError replaces NoRefspecConfiguredError
  • NotFoundError replaces ExpandRefError, FileReadError, GitRootNotFoundError, ReadObjectFail, RefNotExistsError, ResolveRefError, ShortOidNotFound, TreeOrBlobNotFoundError
  • ObjectTypeError replaces DirectoryIsAFileError, ObjectTypeAssertionFail, ObjectTypeAssertionInPathFail, ObjectTypeAssertionInTreeFail, ObjectTypeUnknownFail, ResolveCommitError, ResolveTreeError
  • ParseError replaces AssertServerResponseFail, UnparseableServerResponseFail
  • PushRejectedError replaces PushRejectedNonFastForward, PushRejectedTagExists
  • RemoteCapabilityError replaces RemoteDoesNotSupportDeepenNotFail, RemoteDoesNotSupportDeepenRelativeFail, RemoteDoesNotSupportDeepenSinceFail, RemoteDoesNotSupportShallowFail
  • SmartHttpError replaces RemoteDoesNotSupportSmartHTTP
  • UnknownTransportError replaces UnknownTransportError
  • UrlParseError replaces RemoteUrlParseError
  • UserCanceledError replaces UserCancelledError

The following error codes are no longer used / have no equivalent: AcquireLockFileFail, BranchDeleteError, CoreNotFound, DoubleReleaseLockFileFail, InvalidDepthParameterError, InvalidParameterCombinationError, MismatchRefValueError, NoHeadCommitError, NotImplementedFail, ObjectTypeAssertionInRefFail, PluginSchemaViolation, PluginUndefined, PluginUnrecognized

  • Drop official support for Safari 11
  • The author.date, committer.date, tagger.date parameters were removed in favor of author.timestamp, comitter.timestamp, tagger.timestamp in order to be clear about what is actually written and better reflect the return types in readCommit, log, and readTag.
  • The username, password, token, and oauth2format params were removed and replaced with the onAuth callback. Since onAuth also replaced the credentialManager plugin, this means now there is a single way to do authentication instead of two.
  • The URL that's provided is now the URL that's used; no longer will they be "fixed" to end with .git since sometimes that actually makes things worse, and subverts user expectations. Accordingly, the noGitSuffix parameter has been removed since it's the default behavior. Furthermore, the User-Agent is now totally in the user's hands, because it is just a minefield, and I'm done trying to make sense of it. I added a Headers page to the docs documenting what I know about User-Agent + GitHub + CORS + Chrome bugs.
  • The verify function has been removed, and the signature property of TagObject renamed to gpgsig to match CommitObject. Since log, readCommit, and readTag all include the gpgsig and signing payload in their return values now, it is simpler and more efficient to do the verification outside of isomorphic-git. See the documentation for the onSign parameter for complete code examples.
  • The newSubmoduleBehavior parameter has been removed and is now the default and only behavior, because it is good. And the noSubmodules parameter has been removed and is also the default and only behavior. (This only affects you if you a) liked seeing the console warnings or b) were using statusMatrix to traverse submodules for some reason.)
  • push: the push function now throws if any of the refs on the remote were not updated successfully. It also returns a nicely typed result object organized by ref, rather than a loose collection of strings organized by outcome.
  • fetch, push: the fetch and push functions now respect previously ignored git config settings like: branch.${ref}.pushRemote, remote.pushDefault, remote.${remote}.pushurl, and branch.${ref}.merge. (Note the pull command already respected branch.${ref}.merge but fetch did not.)
  • isomorphic-git no longer has a node HTTP client hard-coded into the main file and a browser HTTP client hard-coded into the module file. The HTTP clients are now in their own files; users pick one, import it, and provide it to functions that make requests.
  • the plugin system has been removed and we're returning to simply passing in arguments and callbacks, because it is simpler, has better locality, and avoids global state.
  • readObject and writeObject have been updated to use the same object schemas used in readCommit, readTree, and readTag. And they are actually documented now in the docs. (The main change is trees are simply arrays now, rather than objects with a .entries property.) The types returned by readObject also form a proper discriminated union so TypeScript will infer the type of .object given .format and .type.
  • The undocumented param aliases authUsername and authPassword are removed in favor of username and password.
  • plugins.set has been replaced by plugins.fs, plugins.emitter, plugins.credentialManager, plugins.pgp, and plugins.http.
  • onAuth: The token and oauth2format properties have been removed from the GitAuth interface, which makes it much simpler and and eliminates a dozen GitErrors handling specific edge cases.

A headers property has been added to the GitAuth interface. This makes onAuth much more powerful because you can inject whatever HTTP headers you want.

The onAuthFailed callback now lets you return a GitAuth object. This means you can keep retrying to authenticate as many times as you like.

A cancel property has been added to the GitAuth interface. This means you gracefully give up authenticating and the function will throw an E.UserCancelledError instead of an E.HTTPError.

  • The deprecated fs and emitter params have been removed. They've been superseded by the fs and emitter plugins.
  • The internal-apis are no longer included in the npm package. I never really intended that; they were just for running unit tests. Also, I renamed dist/for-future/isomorphic-git/index.js to dist/index.js and dist/for-node/isomorphic-git/index.js to dist/index.cjs.

And I removed the jasmine fallback. I'm sorry jest uses native modules, but it's just too good not to use and maintaining a fallback test runner is an added complication.

  • As a historical accident, message events were trimmed. This was lossy and removed valuable information, such as an '\r' by itself, which is a signal to update the existing line instead of appending a new one. The rawmessage event was added as a temporary workaround to expose the untrimmed data. The rawmessage event has been removed and from now on, message events emit the full untrimmed data.
  • Any functions that returned Buffer objects now instead return Uint8Array objects. This is so we can eventually drop the bloated Buffer browser polyfill.
  • Ths sign command was deprecated a while ago (back when commit got a signingKey param) and has now been removed.
  • The autoTranslateSSH feature has been removed since it's kind of hacky, and it's trivial to implement your own version using the data.suggestion property of the UnknownTransportError when something fails.
  • The signing argument of log has been removed, and log now returns an array of objects with the same interface as those returned from readCommit. Also, the log function will throw now instead of returning errors as objects inside the result array. This greatly simplifies the TS definition (which previously consisted of 3 different overloaded variations) so that we can generate the TS definitions directly from the JSDoc in the future.
  • the pattern param added two dependencies to the project (globrex and globalyzer) for very little benefit since we haven't ended up using globbing anywhere else in the library. The same result can be achieved via the new function parameter filter which lets you provide the pattern-matching logic yourself.
  • the fastCheckout function has been renamed checkout and the old checkout function has been removed entirely.
  • the walkBeta2 function has been renamed walk and the walkBeta1 function has been removed entirely.
  • the browser (and node) versions tested in CI have been bumped. Future releases are not guaranteed to work on the older versions anymore.
  • Drop official support for Safari 11
  • core has been replaced by plugins.createCore and plugins.deleteCore.

v0.78.5

Compare Source

Bug Fixes

v0.78.4

Compare Source

Bug Fixes
Performance Improvements
  • indexPack: remove profiling code that has a linear overhead (#​1039) (ea7524e)

v0.78.3

Compare Source

Bug Fixes
  • fastCheckout: don't treat modified files as conflicted unless the file would actually change (#​1017) (7ebc583)

v0.78.2

Compare Source

Bug Fixes

v0.78.1

Compare Source

Bug Fixes

v0.78.0

Compare Source

Features
  • clone, checkout, fastCheckout, pull: Added 'newSubmoduleBehavior' param (#​988) (2c980e0)

v0.77.1

Compare Source

Bug Fixes

v0.77.0

Compare Source

Features

v0.76.0

Compare Source

Features

v0.75.1

Compare Source

Bug Fixes
  • checkout: files that don't match filepaths/pattern should be untouched (#​977) (6e19496)

v0.75.0

Compare Source

Features
  • Added 'addNote', 'listNotes', 'removeNote', and 'readNote' commands (#​959) (92a7e83)

v0.74.0

Compare Source

Features
  • add typed alternatives to readObject/writeObject (#​970) (5010dac)

v0.73.3

Compare Source

Bug Fixes

v0.73.2

Compare Source

Bug Fixes

v0.73.1

Compare Source

Performance Improvements

v0.73.0

Compare Source

Features

v0.72.1

Compare Source

Bug Fixes
  • fetch, clone, push, pull: include 'suggestion' in UnknownTransportError for SSH urls (#​955) (ba6e444)

v0.72.0

Compare Source

Features
  • checkout, clone: add noSubmodule parameter to hide warning (adaeb28)

v0.71.0

Compare Source

Features
  • fetch, push, clone, pull: add autoTranslateSSH param (#​946) (661f74e)

v0.70.9

Compare Source

Bug Fixes
  • config section and variable names are allowed to have - not _ (#​945) (495f294)

v0.70.8

Compare Source

Bug Fixes
  • resolve "treeNotSorted: not properly sorted" git fsck error (#​937) (74a6905)

v0.70.7

Compare Source

Bug Fixes
  • types: type of isDescendent depth argument should be number, not string (#​914) (3f84b78)

v0.70.6

Compare Source

Bug Fixes

v0.70.5

Compare Source

Bug Fixes

v0.70.4

Compare Source

Bug Fixes
  • statusMatrix: fix a bug in walkBeta2 that resulted in doubled entries (#​923) (1aca370)

v0.70.3

Compare Source

Bug Fixes
  • if 'oauth2format' is set, silently strip credentials from URLs rather than error (#​920) (d9aa842)

v0.70.2

Compare Source

Performance Improvements

v0.70.1

Compare Source

Bug Fixes
  • fastCheckout: bug in noUpdateHead logic and add missing TS types (#​910) (e30bbed)

v0.70.0

Compare Source

Features

v0.69.0

Compare Source

Features

v0.68.0

Compare Source

Features

v0.67.5

Compare Source

Bug Fixes
  • walkBeta1: fix error if .populateHash is called without calling .populateStat first (#​895) (6d3238a)

v0.67.4

Compare Source

Bug Fixes
  • fetch: remove 'thin-pack' from advertised capabilities (#​893) (8f2251e)

v0.67.3

Compare Source

Performance Improvements

v0.67.2

Compare Source

Bug Fixes

v0.67.1

Compare Source

Bug Fixes
  • merge: fix 'Failed to read git object' errors caused by shallow repos (#​859) (8793a2a)

v0.67.0

Compare Source

Features

v0.66.0

Compare Source

Features
  • Added 'dryRun' to commit and 'noUpdateBranch' to merge (#​843) (5f49791)

v0.65.1

Compare Source

Bug Fixes
  • remove extra slash from readdir paths that might fail on custom 'fs' implementations (#​838) (#​838) (a7eafee)

v0.65.0

Compare Source

Features

v0.64.6

Compare Source

Bug Fixes

v0.64.5

Compare Source

Bug Fixes
  • branch: works in empty repos (if 'checkout: true') (#​825) (6518bf1)

v0.64.4

Compare Source

Bug Fixes

v0.64.3

Compare Source

Bug Fixes

v0.64.2

Compare Source

Bug Fixes
  • was marking commits shallow that were not shallow (#​817) (29fface)

v0.64.1

Compare Source

Bug Fixes
  • pull: Added 'author', 'committer', 'signingKey' parameters (#​816) (251ebaf)

v0.64.0

Compare Source

Features

v0.63.0

Compare Source

Features

v0.62.0

Compare Source

Features

v0.61.0

Compare Source

Features
  • Added 'ref', 'noUpdateBranch' parameters to commit command (#​812) (30d6751)

v0.60.2

Compare Source

Bug Fixes

v0.60.1

Compare Source

Bug Fixes

v0.60.0

Compare Source

Features

v0.59.0

Compare Source

Features

v0.58.2

Compare Source

Bug Fixes

v0.58.1

Compare Source

Performance Improvements

v0.58.0

Compare Source

Features
  • Added 'filepaths' parameter to statusMatrix and checkout commands (#​786) (94b11fd)

v0.57.1

Compare Source

Bug Fixes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-isomorphic-git-vulnerability branch from 0e69729 to 8920d2d Compare March 26, 2022 14:20
@renovate renovate bot force-pushed the renovate/npm-isomorphic-git-vulnerability branch from 8920d2d to 14ce083 Compare April 24, 2022 22:50
@renovate renovate bot force-pushed the renovate/npm-isomorphic-git-vulnerability branch from 14ce083 to 1a6209e Compare May 15, 2022 20:41
@renovate renovate bot force-pushed the renovate/npm-isomorphic-git-vulnerability branch from 1a6209e to 5a2dc5d Compare June 18, 2022 13:55
@renovate renovate bot force-pushed the renovate/npm-isomorphic-git-vulnerability branch from 5a2dc5d to 3bb0b7b Compare September 25, 2022 17:20
@renovate renovate bot force-pushed the renovate/npm-isomorphic-git-vulnerability branch from 3bb0b7b to f258ea8 Compare November 20, 2022 12:19
@renovate renovate bot force-pushed the renovate/npm-isomorphic-git-vulnerability branch from f258ea8 to 943894d Compare March 18, 2023 06:04
@renovate renovate bot changed the title Update dependency isomorphic-git to 1.8.2 [SECURITY] Update dependency isomorphic-git to v1 [SECURITY] Mar 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant