fix(gha): Use single quotes for string literals#108
Merged
Conversation
jan-auer
approved these changes
Jun 15, 2020
jan-auer
added a commit
that referenced
this pull request
Jun 18, 2020
* master: (23 commits) feat(crates): Add noDevDeps option (#112) fix: Write to cache in base artifact provider fix: Logger scopes for gcs and artifact providers build(ci): Have better defaults for CI environments (#110) fix(gha): Use single quotes for string literals (#108) ref(gha): Remove ENV inputs, add no-merge and keep-branch (#107) fix(docker): Fix CARGO_HOME and RUST_HOME since GHA changes HOME (#106) docs: Add missing CHANGELOG entry for cargo upgrade (#105) build(docker): Upgrade cargo to a recent version (#104) fix(gha): Remove no-merge and keep-branch temporarily fix(gha): Try to skip empty args using null fix(gha): Remove defaults on craft arguments fix(gha): Only pass publish args to publish feat(gha): Add GitHub Action for Craft (#103) docs: Fix `changelogPolicy` enum (#102) build(docker): Add a `craft` binary into the Docker image (#101) docs: Fix `artifactProvider` example (#100) release: 0.10.0 meta: Update Changelog build(gcb): Add a public Docker image (#99) ...
BYK
added a commit
that referenced
this pull request
Feb 26, 2026
- Remove `rimraf`, `@types/rimraf`, and `@sentry/typescript` dev deps:
- Replace `rimraf()` call in `files.ts` with Node 22 built-in `fs.rm()`
- Update `clean` script to use `rm -rf` directly
- Inline `@sentry/typescript/tsconfig.json` settings into `tsconfig.build.json`
to eliminate the `tslint` transitive dependency tree
- Add `pnpm.overrides` to force patched versions of vulnerable transitive deps:
- `minimatch >= 10.2.1` (CVE-2026-26996, High, ReDoS — alerts #111-114)
- `ajv@<6.14.0 → ^6.14.0` (CVE-2025-69873, Medium, ReDoS — alert #110)
- Add `devalue >= 5.6.3` override in `docs/` (GHSA-33hq/8qm3, Low — alerts #108-109)
BYK
added a commit
that referenced
this pull request
Feb 27, 2026
## Summary Fixes 7 open Dependabot alerts by eliminating vulnerable transitive dependencies where possible, and using `pnpm.overrides` to force patched versions otherwise. ## Changes **Removed legacy dev dependencies** (eliminating entire vulnerable sub-trees): - `@sentry/typescript` — only used for its `tsconfig.json`; dragged in `tslint` → `minimatch 3.x` (CVE-2026-26996). Settings inlined directly into `tsconfig.build.json`. - `rimraf` + `@types/rimraf` — single call site in `files.ts` replaced with `fs.rm()` (Node 22 built-in); `@types/rimraf` was pulling `@types/glob` → `glob@13` → `minimatch 10.x` (vulnerable). **Added `pnpm.overrides`** to force patched transitive deps: - `"minimatch": ">=10.2.1"` — fixes alerts #111–114 (CVE-2026-26996, High, ReDoS). After removing the above deps, all remaining minimatch consumers are on 10.x, making a blanket override safe. - `"ajv@<6.14.0": "^6.14.0"` — fixes alert #110 (CVE-2025-69873, Medium, ReDoS). Pulled in by `eslint` → `@eslint/eslintrc`. Using `^6` (not `>=`) to stay within the v6 API boundary that eslint requires. - `"devalue": ">=5.6.3"` in `docs/package.json` — fixes alerts #108–109 (Low, DoS + prototype pollution via Astro/Starlight transitive dep). ## Verification - `pnpm build`: ✓ - `pnpm lint`: ✓ - `pnpm test`: 884 passing (6 pre-existing e2e failures unrelated to this change — require `EDITOR` env var for git commits)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.