Skip to content

build(ci): Have better defaults for CI environments#110

Merged
BYK merged 3 commits intomasterfrom
byk/build/better-ci-defaults
Jun 15, 2020
Merged

build(ci): Have better defaults for CI environments#110
BYK merged 3 commits intomasterfrom
byk/build/better-ci-defaults

Conversation

@BYK
Copy link
Member

@BYK BYK commented Jun 15, 2020
edited
Loading

@BYK BYK requested review from jan-auer and tonyo June 15, 2020 18:28
jan-auer
jan-auer approved these changes Jun 15, 2020
View reviewed changes
Copy link
Member

@jan-auer jan-auer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change generally makes sense; in CI the uploads will never be resumable.

Regardless though, have you thought about giving craft a writable home directory somehow? The same problem has occurred with setting up cargo, and I'm pretty sure we'll have more targets that will try to write to $HOME.

@BYK
Copy link
Member Author

BYK commented Jun 15, 2020

Regardless though, have you thought about giving craft a writable home directory somehow? The same problem has occurred with setting up cargo, and I'm pretty sure we'll have more targets that will try to write to $HOME.

Yup, we may use /tmp for that. I think assuming $HOME to be writable may not be the best idea though. I had similar issues with a proprietary CI system in the past (assuming $HOME to be writable where it was not).

@BYK BYK merged commit 1446dfc into master Jun 15, 2020
@BYK BYK deleted the byk/build/better-ci-defaults branch June 15, 2020 18:58
jan-auer added a commit that referenced this pull request Jun 18, 2020
@jan-auer
Merge branch 'master' into fix/crates-cache-retry
8b05012 
* master: (23 commits)
  feat(crates): Add noDevDeps option (#112)
  fix: Write to cache in base artifact provider
  fix: Logger scopes for gcs and artifact providers
  build(ci): Have better defaults for CI environments (#110)
  fix(gha): Use single quotes for string literals (#108)
  ref(gha): Remove ENV inputs, add no-merge and keep-branch (#107)
  fix(docker): Fix CARGO_HOME and RUST_HOME since GHA changes HOME (#106)
  docs: Add missing CHANGELOG entry for cargo upgrade (#105)
  build(docker): Upgrade cargo to a recent version (#104)
  fix(gha): Remove no-merge and keep-branch temporarily
  fix(gha): Try to skip empty args using null
  fix(gha): Remove defaults on craft arguments
  fix(gha): Only pass publish args to publish
  feat(gha): Add GitHub Action for Craft (#103)
  docs: Fix `changelogPolicy` enum (#102)
  build(docker): Add a `craft` binary into the Docker image (#101)
  docs: Fix `artifactProvider` example (#100)
  release: 0.10.0
  meta: Update Changelog
  build(gcb): Add a public Docker image (#99)
  ...
BYK added a commit that referenced this pull request Feb 26, 2026
@BYK
fix(deps): address Dependabot security vulnerabilities
e21722c 
- Remove `rimraf`, `@types/rimraf`, and `@sentry/typescript` dev deps:
  - Replace `rimraf()` call in `files.ts` with Node 22 built-in `fs.rm()`
  - Update `clean` script to use `rm -rf` directly
  - Inline `@sentry/typescript/tsconfig.json` settings into `tsconfig.build.json`
    to eliminate the `tslint` transitive dependency tree
- Add `pnpm.overrides` to force patched versions of vulnerable transitive deps:
  - `minimatch >= 10.2.1` (CVE-2026-26996, High, ReDoS — alerts #111-114)
  - `ajv@<6.14.0 → ^6.14.0` (CVE-2025-69873, Medium, ReDoS — alert #110)
- Add `devalue >= 5.6.3` override in `docs/` (GHSA-33hq/8qm3, Low — alerts #108-109)
@BYK BYK mentioned this pull request Feb 26, 2026
Merged
BYK added a commit that referenced this pull request Feb 27, 2026
@BYK
fix(deps): address Dependabot security vulnerabilities (#761)
98990d0 
## Summary

Fixes 7 open Dependabot alerts by eliminating vulnerable transitive
dependencies where possible, and using `pnpm.overrides` to force patched
versions otherwise.

## Changes

**Removed legacy dev dependencies** (eliminating entire vulnerable
sub-trees):
- `@sentry/typescript` — only used for its `tsconfig.json`; dragged in
`tslint` → `minimatch 3.x` (CVE-2026-26996). Settings inlined directly
into `tsconfig.build.json`.
- `rimraf` + `@types/rimraf` — single call site in `files.ts` replaced
with `fs.rm()` (Node 22 built-in); `@types/rimraf` was pulling
`@types/glob` → `glob@13` → `minimatch 10.x` (vulnerable).

**Added `pnpm.overrides`** to force patched transitive deps:
- `"minimatch": ">=10.2.1"` — fixes alerts #111–114 (CVE-2026-26996,
High, ReDoS). After removing the above deps, all remaining minimatch
consumers are on 10.x, making a blanket override safe.
- `"ajv@<6.14.0": "^6.14.0"` — fixes alert #110 (CVE-2025-69873, Medium,
ReDoS). Pulled in by `eslint` → `@eslint/eslintrc`. Using `^6` (not
`>=`) to stay within the v6 API boundary that eslint requires.
- `"devalue": ">=5.6.3"` in `docs/package.json` — fixes alerts #108–109
(Low, DoS + prototype pollution via Astro/Starlight transitive dep).

## Verification

- `pnpm build`: ✓
- `pnpm lint`: ✓
- `pnpm test`: 884 passing (6 pre-existing e2e failures unrelated to
this change — require `EDITOR` env var for git commits)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-auer jan-auer jan-auer approved these changes

@tonyo tonyo Awaiting requested review from tonyo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BYK @jan-auer