Fix dependency conflicts, fix vulnerabilities / update dependencies #4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This should have been done as part of rustsec#1.
This fixes CVE-2021-32804 / GHSA-3jfq-g458-7qm9 for that package.
Fixes CVE-2020-28469 in that package.
Fixes CVE-2021-33502 (ReDoS) in normalize-url.
Fixes CVE-2021-23362 (ReDoS vulnerability) in hosted-git-info.
Attempt to work around the ``` Error: error:0308010C:digital envelope routines::unsupported [...] ERR_OSSL_EVP_UNSUPPORTED ``` error in the build step.
Fixes CVE-2020-7774 (prototype pollution) in y18n.
Fixes CVE-2020-11021 in @actions/http-client.
Fixes CVE-2021-27290 (ReDoS vulnerability) in ssri.
Fixes CVE-2020-8203 (prototype pollution vulnerability) in lodash.
Fixes CVE-2020-7788 (prototype pollution vulnerability) in ini.
Fixes GHSA-jmqm-f2gx-4fjv (sensitive information exposure through logs) in npm-registry-fetch.
Fixes CVE-2020-15228 (environment variable injection) in @actions/core.
Fixes CVE-2020-15168 in node-fetch.
Fixes CVE-2021-3807 (ReDoS vulnerability) in ansi-regex.
Fixes CVE-2022-38900 (DoS) in decode-uri-component.
Fixes CVE-2021-3777 (ReDoS vulnerability) in tmpl.
Fixes CVE-2022-24999 (prototype pollution) in qs.
Fixes CVE-2022-3517 (ReDoS vulnerability) in minimatch.
Fixes CVE-2022-46175 (prototype pollution) in json5.
Fixes CVE-2022-25881 (ReDoS vulnerability) in http-cache-semantics.
Fixes CVE-2021-44906 (prototype pollution) in minimist.
Fixes CVE-2021-23343 (ReDoS vulnerability) in path-parse.
Fixes CVE-2021-20066 in jsdom.
Fixes CVE-2020-15366 (prototype pollution) in ajv.
Fixes GHSA-hxwm-x553-x359 (command injection vulnerability) in @npmcli/git.
Fixes a prototype pollution in nunjucks. See <mozilla/nunjucks#1331> for more information.
striezel
force-pushed
the
fix-dependency-hell
branch
from
24d8e08 to
9793f2f
Compare
striezel
force-pushed
the
fix-dependency-hell
branch
from
9793f2f to
7d2839f
Compare
|
Now that #3 has been merged, I made some minor adjustments (new version number, changelog) and this PR is ready for review. |
striezel
changed the title
Merged
Merged
|
I forked the actions-rs/core to rinse-repeat/actions-rs-core which I published to npmjs - now we don't need the token. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
(Note: This draft will probably get rebased after #3 has been merged, and it will probably get a changelog entry and a version bump, too.)
This pull requests attempts to:
jest/ts-jest/@types/jest) that made a cleannpm installimpossible,I am creating this PR so that any potential reviewers can get over the shock of having a PR with more than 10000 additions and deletions, and to give the opportunity to state whether you want me to split it into smaller PRs.