chore: update jsonpath-plus to fix cve-2024-21534 (#54)

* chore: update jsonpath-plus to fix cve-2024-21534

* chore: update dependencies

* fix: github provider for updated axios

* chore: update node to v22

* feat: fast audit processor

Author: joelkeener

.eslintrc.js

@@ -0,0 +1,39 @@
+module.exports = {
+    env: {
+        es2022: true,
+        mocha: true,
+        node: true
+    },
+
+    parserOptions: {
+        ecmaVersion: 2023,
+        sourceType: 'script'
+    },
+
+    rules: {
+        indent: ['error', 4],
+        'no-param-reassign': 'off',
+        'class-methods-use-this': 'off',
+        'no-underscore-dangle': 'off',
+
+        // Allow function declarations at the bottom of a file. They are hoisted in ES6.
+        'no-use-before-define': ['error', { functions: false }],
+
+        // named funcs in stacktrace
+        'func-names': ['error', 'as-needed'],
+
+        'function-call-argument-newline': ['error', 'consistent'],
+        'function-paren-newline': ['error', 'consistent'],
+
+        // only set strict mode when necessary
+        'strict': ['error', 'global'],
+
+        'max-len': ['error', 120, 2, {
+            ignoreUrls: true,
+            ignoreComments: false,
+            ignoreRegExpLiterals: true,
+            ignoreStrings: true,
+            ignoreTemplateLiterals: true
+        }]
+    }
+};

.github/workflows/pipeline.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node-version: [12.x]
+        node-version: [22.x]
     steps:
     - uses: actions/checkout@v2
     - name: Setup Node.js ${{ matrix.node-version }}
@@ -22,14 +22,14 @@ jobs:
     continue-on-error: true
     strategy:
       matrix:
-        node-version: [12.x]
+        node-version: [22.x]
     steps:
     - uses: actions/checkout@v2
     - name: Setup Node.js ${{ matrix.node-version }}
       uses: actions/setup-node@v1
       with:
         node-version: ${{ matrix.node-version }}
-    - run: npm ci && npm audit --production
+    - run: npm ci && npm run audit-production
   publish:
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags')
     needs: [test, audit]
@@ -39,7 +39,7 @@ jobs:
     - name: Setup Node.js ${{ matrix.node-version }}
       uses: actions/setup-node@v1
       with:
-        node-version: 12
+        node-version: 22
         registry-url: https://registry.npmjs.org/
     - run: npm ci
     - run: npm publish --access public

lib/github_provider.js

@@ -68,8 +68,16 @@ class GitHubContentsApi {
                 }
             }))
             .catch(e => this._handleResponseError(e, `get contents for ${contentPath}`))
-            .then(resp => resp.data.content)
-            .then(data => Buffer.from(data, 'base64').toString('utf8'));
+            .then((resp) => {
+                if (typeof resp.data === 'string' && !(resp.data.startsWith('{') || resp.data === '')) {
+                    return resp.data;
+                }
+                const jsonData = typeof resp.data === 'string' ? JSON.parse(resp.data) : resp.data;
+                if (!jsonData || !jsonData.content) {
+                    return Promise.reject(new Error(`File not found: ${contentPath}`));
+                }
+                return Buffer.from(jsonData.content, 'base64').toString('utf8');
+            });
     }
 }