Skip to content

chore: update pnpm-lock.yaml#12014

Merged
zkochan merged 3 commits into
mainfrom
chore/update-lockfile
Jun 2, 2026
Merged

chore: update pnpm-lock.yaml#12014
zkochan merged 3 commits into
mainfrom
chore/update-lockfile

Conversation

@zkochan

@zkochan zkochan commented May 28, 2026

Copy link
Copy Markdown
Member

This PR updates the lockfile to pick up the latest compatible versions of dependencies.

This is an automated PR created by the update-lockfile workflow.

Summary by CodeRabbit

  • Chores
    • Bumped development package manager and Node runtime patch versions to a newer release for improved compatibility and stability.
    • Updated CI, benchmark, and release workflows to use the new runtime version.
    • Added automatic synchronization so script and workflow runtime pins stay aligned with the declared Node runtime across the repository.

@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Bumps pnpm to 11.5.1 and Node runtime to 26.3.0 in package.json and updates CI/benchmark/release workflows. Adds meta-updater logic to read devEngines.runtime and rewrite any node@runtime:<x.y.z> pins in package scripts and workflow YAML to match that runtime version.

Changes

Tooling and Runtime Version Updates

Layer / File(s) Summary
Package manager and Node runtime version bumps
package.json
packageManager and devEngines.packageManager.version updated to pnpm@11.5.1; devEngines.runtime.version updated to node@26.3.0; compile-only script target updated to node@runtime:26.3.0.
Workflow Node pin updates
.github/workflows/benchmark.yml, .github/workflows/ci.yml, .github/workflows/release.yml
Replaced node@26.0.0 pins with node@26.3.0 in benchmark, CI matrix/exclude, and release workflow steps.
Meta-updater import and YAML format
.meta-updater/src/index.ts
Adds createFormat import and yamlTextFormat to preserve workflow YAML formatting when editing.
Derive and propagate runtime version in updater flow
.meta-updater/src/index.ts
Derives nodeRuntimeVersion from the workspace root manifest and passes it into monorepo-root manifest update flow to synchronize scripts and workflows.
Script and workflow sync helpers
.meta-updater/src/index.ts
Introduces readNodeRuntimeVersion(workspaceDir), syncNodeRuntimeInScripts(manifest, version) to regex-replace node@runtime:<digits.dots> in package scripts, and syncNodeVersionInWorkflow(text, version) to update workflow YAML node pins while preserving formatting.

Sequence Diagram(s)

sequenceDiagram
  participant MetaUpdater
  participant RootManifest
  participant PackageScripts
  participant WorkflowYAML
  MetaUpdater->>RootManifest: read devEngines.runtime (name: "node", version)
  MetaUpdater->>PackageScripts: scan & replace node@runtime:<old> → node@runtime:<version>
  MetaUpdater->>WorkflowYAML: update workflow node major pin to match runtime version
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • pnpm/pnpm#11889: Also updates devEngines.runtime and script targets to a newer Node 26 runtime.
  • pnpm/pnpm#11719: Bumps the root packageManager/pnpm version in package.json.
  • pnpm/pnpm#11553: Related changes around devEngines.runtime usage and CI checks for Node runtime version.

Poem

🐰 I hopped through JSON with careful cheer,
Pinned Node to twenty-six, the path made clear.
Pnpm stepped up, scripts now align,
Workflows follow suit, version by design.
A tiny sync, a hop, a dev-time rhyme.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Title check ⚠️ Warning The PR title 'chore: update pnpm-lock.yaml' does not match the actual changes, which involve syncing Node.js versions across CI workflows and package.json metadata, not updating the lockfile. Revise the title to reflect the main change, such as 'chore: sync Node.js version in CI workflows with devEngines' or 'chore: update Node.js runtime version to 26.3.0 across tooling and workflows'.
Docstring Coverage ⚠️ Warning Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/update-lockfile

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

Review Summary by Qodo

Update pnpm-lock.yaml with latest compatible dependency versions

✨ Enhancement

Grey Divider

Walkthroughs

Description
• Update amaro from 1.1.9 to 1.1.10
• Update @pnpm/symlink-dependency from 1000.0.17 to 1000.0.18
• Update @pnpm/worker from 1000.6.8 to 1000.6.9
• Update multiple transitive dependencies including electron-to-chromium, make-fetch-happen,
  pnpm, streamx, and which-typed-array
Diagram
flowchart LR
  A["pnpm-lock.yaml"] -->|"amaro 1.1.9 → 1.1.10"| B["Updated Dependencies"]
  A -->|"@pnpm/worker 1000.6.8 → 1000.6.9"| B
  A -->|"@pnpm/symlink-dependency 1000.0.17 → 1000.0.18"| B
  A -->|"electron-to-chromium, make-fetch-happen, pnpm, streamx, which-typed-array"| B
  B -->|"Transitive updates"| C["Lockfile Resolved"]

Loading

Grey Divider

File Changes

1. pnpm-lock.yaml Dependencies +82/-82

Lockfile updates for latest compatible dependency versions

• Updated amaro from version 1.1.9 to 1.1.10 with new integrity hash
• Updated @pnpm/symlink-dependency from 1000.0.17 to 1000.0.18 with updated peer dependency
 constraint for @pnpm/logger
• Updated @pnpm/worker from 1000.6.8 to 1000.6.9 with new integrity hash
• Updated multiple transitive dependencies: electron-to-chromium (1.5.361 → 1.5.362),
 make-fetch-happen (15.0.5 → 15.0.6), pnpm (11.3.0 → 11.4.0), streamx (2.25.0 → 2.26.0),
 which-typed-array (1.1.20 → 1.1.21)
• Updated all snapshot entries and dependency references throughout the lockfile to reflect new
 versions

pnpm-lock.yaml


Grey Divider

Qodo Logo

@github-actions

Copy link
Copy Markdown
Contributor

Integrated-Benchmark Report (Linux)

Scenario: Isolated linker: fresh restore, cold cache + cold store

Command Mean [s] Min [s] Max [s] Relative
pacquet@HEAD 2.139 ± 0.176 1.994 2.581 1.01 ± 0.09
pacquet@main 2.119 ± 0.045 2.072 2.206 1.00
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 2.1391251589799998,
      "stddev": 0.1764560505728665,
      "median": 2.10336133638,
      "user": 2.74913378,
      "system": 3.3329432199999993,
      "min": 1.9936348263800001,
      "max": 2.58050911038,
      "times": [
        2.11774002738,
        2.18013620238,
        1.99915533838,
        2.10176098838,
        2.04026919938,
        1.9936348263800001,
        2.25935000738,
        2.58050911038,
        2.01373420538,
        2.10496168438
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 2.11894962718,
      "stddev": 0.044529183139360516,
      "median": 2.09833939638,
      "user": 2.76335658,
      "system": 3.31675222,
      "min": 2.07206502038,
      "max": 2.20591822138,
      "times": [
        2.20591822138,
        2.0797093493800003,
        2.16849465238,
        2.0979341803800002,
        2.13205363538,
        2.09874461238,
        2.08265749738,
        2.1547034053800003,
        2.07206502038,
        2.0972156973800002
      ]
    }
  ]
}

Scenario: Isolated linker: fresh restore, hot cache + hot store

Command Mean [ms] Min [ms] Max [ms] Relative
pacquet@HEAD 693.8 ± 34.5 670.5 759.8 1.00
pacquet@main 738.1 ± 103.2 670.8 1024.4 1.06 ± 0.16
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 0.69375711284,
      "stddev": 0.034495248735077054,
      "median": 0.6814657053400001,
      "user": 0.37645085999999994,
      "system": 1.3493338,
      "min": 0.6705199368400001,
      "max": 0.75984777284,
      "times": [
        0.75984777284,
        0.68117237584,
        0.75731347684,
        0.6705199368400001,
        0.6824771418400001,
        0.6836653138400001,
        0.6744070358400001,
        0.6708284618400001,
        0.6817590348400001,
        0.67558057784
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 0.7380759367400002,
      "stddev": 0.10315105583331431,
      "median": 0.71093244984,
      "user": 0.37455605999999997,
      "system": 1.3715457999999998,
      "min": 0.67077415484,
      "max": 1.0243851688399999,
      "times": [
        0.7170074608400001,
        0.6897313448400001,
        0.67077415484,
        0.7317725838400001,
        0.6964738918400001,
        0.73918604184,
        0.7048574388400001,
        0.7275939078400001,
        0.67897737384,
        1.0243851688399999
      ]
    }
  ]
}

Scenario: Isolated linker: fresh install, cold cache + cold store

Command Mean [s] Min [s] Max [s] Relative
pacquet@HEAD 2.353 ± 0.047 2.298 2.421 1.00
pacquet@main 2.357 ± 0.051 2.275 2.454 1.00 ± 0.03
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 2.3528343240800003,
      "stddev": 0.04745531246187647,
      "median": 2.34913704648,
      "user": 3.9186412999999995,
      "system": 3.01997772,
      "min": 2.2978410134800002,
      "max": 2.4214649984800003,
      "times": [
        2.3711018684800003,
        2.40531332148,
        2.40597578748,
        2.2987513834800004,
        2.4214649984800003,
        2.3686331434800003,
        2.2978410134800002,
        2.3296409494800003,
        2.3118335034800004,
        2.3177872714800003
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 2.3568202990800002,
      "stddev": 0.050515879874622444,
      "median": 2.36118055948,
      "user": 3.9016354,
      "system": 3.0158159199999997,
      "min": 2.27474052248,
      "max": 2.4544195504800004,
      "times": [
        2.3935186234800003,
        2.3746653494800003,
        2.27474052248,
        2.3591069464800003,
        2.4544195504800004,
        2.3001620484800003,
        2.34955696948,
        2.36325417248,
        2.37783933748,
        2.3209394704800004
      ]
    }
  ]
}

Scenario: Isolated linker: fresh install, hot cache + hot store

Command Mean [s] Min [s] Max [s] Relative
pacquet@HEAD 1.498 ± 0.011 1.486 1.519 1.00 ± 0.03
pacquet@main 1.497 ± 0.042 1.451 1.598 1.00
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 1.49827950224,
      "stddev": 0.011210516625994137,
      "median": 1.4995845714399998,
      "user": 1.7026269399999996,
      "system": 1.778635,
      "min": 1.48561371194,
      "max": 1.5193246809399998,
      "times": [
        1.48631060794,
        1.4991341859399998,
        1.5193246809399998,
        1.50069994094,
        1.48561371194,
        1.4887609659399998,
        1.5000349569399998,
        1.48921866794,
        1.50159163794,
        1.5121056659399998
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 1.4972660599399998,
      "stddev": 0.04185864462310905,
      "median": 1.49404413744,
      "user": 1.7067696399999999,
      "system": 1.7777788,
      "min": 1.45141456894,
      "max": 1.59828287194,
      "times": [
        1.4756594219399999,
        1.45852999294,
        1.50781525794,
        1.59828287194,
        1.51925540294,
        1.50313804694,
        1.45141456894,
        1.4704767609399998,
        1.5020286479399998,
        1.48605962694
      ]
    }
  ]
}

@github-actions

Copy link
Copy Markdown
Contributor

🐰 Bencher Report

Branchpr/12014
Testbedpacquet
Click to view all benchmark results
BenchmarkLatencyBenchmark Result
milliseconds (ms)
(Result Δ%)
Upper Boundary
milliseconds (ms)
(Limit %)
isolated-linker.fresh-install.cold-cache.cold-store📈 view plot
🚷 view threshold
2,352.83 ms
(-0.40%)Baseline: 2,362.31 ms
2,834.77 ms
(83.00%)
isolated-linker.fresh-install.hot-cache.hot-store📈 view plot
🚷 view threshold
1,498.28 ms
(+0.78%)Baseline: 1,486.66 ms
1,783.99 ms
(83.98%)
isolated-linker.fresh-restore.cold-cache.cold-store📈 view plot
🚷 view threshold
2,139.13 ms
(+3.47%)Baseline: 2,067.45 ms
2,480.94 ms
(86.22%)
isolated-linker.fresh-restore.hot-cache.hot-store📈 view plot
🚷 view threshold
693.76 ms
(+2.04%)Baseline: 679.89 ms
815.87 ms
(85.03%)
🐰 View full continuous benchmarking report in Bencher

@zkochan zkochan force-pushed the chore/update-lockfile branch from e0c1ca2 to 55ac18f Compare June 2, 2026 09:37
Copilot AI review requested due to automatic review settings June 2, 2026 09:37

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Around line 67-69: The repo declares dev runtime "runtime": { "name": "node",
"version": "26.3.0" } but the compile-only script still invokes "pnx
node@runtime:26.0.0"; update the hardcoded runtime in that script to match the
declared dev runtime (26.3.0) so both the runtime object and the "pnx
node@runtime:..." invocation use the same version; locate the compile-only
script entry that contains "pnx node@runtime:26.0.0" and replace the version
token to "26.3.0" (or better, parameterize it to reference the single source of
truth if your package.json scripts support it).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 318d932a-28f3-4d96-8498-0b6cc32fff24

📥 Commits

Reviewing files that changed from the base of the PR and between 5b95e08 and 55ac18f.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Compile & Lint
  • GitHub Check: zizmor latest via PyPI
  • GitHub Check: Compile & Lint
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2026-05-05T23:03:04.286Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11479
File: __utils__/scripts/package.json:6-9
Timestamp: 2026-05-05T23:03:04.286Z
Learning: The pattern cross-env NODE_OPTIONS="$NODE_OPTIONS ..." in package.json scripts is an established convention in the pnpm/pnpm repository and is used across many packages (e.g., fs/hard-link-dir, worker, __utils__/scripts). Do not flag this as a cross-platform issue in individual files; if a change is needed, apply it as a repo-wide change in a separate PR. Scope this guidance to all package.json files in the repo; use the minimatch pattern '**/package.json' to identify relevant files and review changes at the repository level rather than per-file.

Applied to files:

  • package.json

Comment thread package.json

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Automated lockfile and packageManager update to pick up newer compatible dependency versions.

Changes:

  • Bump packageManager and devEngines.packageManager to pnpm 11.5.1 and devEngines.runtime Node to 26.3.0.
  • Refresh pnpm-lock.yaml with updated transitive/catalog versions (e.g. @inquirer/prompts 8.5.2, eslint 10.4.1, lru-cache 11.5.1, tinyglobby 0.2.17, amaro 1.1.10, etc.).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Update packageManager pin and devEngines versions for pnpm and Node.
pnpm-lock.yaml Regenerate lockfile with bumped dependency versions.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI review requested due to automatic review settings June 2, 2026 09:59

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated no new comments.

Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
.meta-updater/src/index.ts (2)

329-333: 💤 Low value

Consider sanitizing major before regex construction.

Static analysis flagged line 331 for potential ReDoS due to constructing a RegExp from variable input. While major comes from a controlled source (devEngines.runtime.version), defensive coding would validate that it contains only digits before use in the regex.

🛡️ Optional defensive check
 function syncNodeVersionInWorkflow (content: string | null, version: string | undefined): string | null {
   if (content == null || !version) return content
   const major = version.split('.')[0]
+  // Ensure major is numeric to prevent regex injection
+  if (!/^\d+$/.test(major)) {
+    throw new Error(`Invalid major version: ${major}`)
+  }
   return content.replace(new RegExp(`\\b${major}\\.\\d+\\.\\d+\\b`, 'g'), version)
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.meta-updater/src/index.ts around lines 329 - 333, The regex in
syncNodeVersionInWorkflow builds a pattern from the unvalidated variable major
which can cause ReDoS or unintended regex injection; validate or sanitize major
(from version) to ensure it consists only of digits (e.g., /^\d+$/) before
constructing the RegExp, and if it fails validation return content unchanged or
handle safely; update the function syncNodeVersionInWorkflow to parse and verify
major is numeric and only then create the RegExp using the validated value (or
escape it) and replace, otherwise skip the replacement.

309-313: 💤 Low value

Consider validating the version string format.

The function reads devEngines.runtime.version but doesn't validate that it's a well-formed semver string (e.g., 26.3.0). While the regex usage downstream will gracefully fail to match malformed versions, explicit validation would make debugging easier and provide clearer error messages if the manifest contains an invalid version format.

🛡️ Optional validation to add
 function readNodeRuntimeVersion (workspaceDir: string): string | undefined {
   const manifest = loadJsonFileSync<{ devEngines?: { runtime?: { name?: string, version?: string } } }>(path.join(workspaceDir, 'package.json'))
   const runtime = manifest?.devEngines?.runtime
-  return runtime?.name === 'node' ? runtime.version : undefined
+  const version = runtime?.name === 'node' ? runtime.version : undefined
+  // Validate basic semver format (major.minor.patch)
+  if (version && !/^\d+\.\d+\.\d+$/.test(version)) {
+    throw new Error(`devEngines.runtime.version must be in format X.Y.Z, got: ${version}`)
+  }
+  return version
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.meta-updater/src/index.ts around lines 309 - 313, readNodeRuntimeVersion
currently returns whatever is in manifest.devEngines.runtime.version without
validating it's a proper semver; update readNodeRuntimeVersion to verify
runtime.version is present and matches a semver (either use semver.valid from
the 'semver' package or a strict regex like
/^\d+\.\d+\.\d+(-[0-9A-Za-z-.]+)?(\+[0-9A-Za-z-.]+)?$/) and only return the
value if valid, otherwise return undefined (or throw/log a clear error
mentioning readNodeRuntimeVersion and the invalid version string) so downstream
code gets a validated Node runtime version.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.meta-updater/src/index.ts:
- Around line 329-333: The regex in syncNodeVersionInWorkflow builds a pattern
from the unvalidated variable major which can cause ReDoS or unintended regex
injection; validate or sanitize major (from version) to ensure it consists only
of digits (e.g., /^\d+$/) before constructing the RegExp, and if it fails
validation return content unchanged or handle safely; update the function
syncNodeVersionInWorkflow to parse and verify major is numeric and only then
create the RegExp using the validated value (or escape it) and replace,
otherwise skip the replacement.
- Around line 309-313: readNodeRuntimeVersion currently returns whatever is in
manifest.devEngines.runtime.version without validating it's a proper semver;
update readNodeRuntimeVersion to verify runtime.version is present and matches a
semver (either use semver.valid from the 'semver' package or a strict regex like
/^\d+\.\d+\.\d+(-[0-9A-Za-z-.]+)?(\+[0-9A-Za-z-.]+)?$/) and only return the
value if valid, otherwise return undefined (or throw/log a clear error
mentioning readNodeRuntimeVersion and the invalid version string) so downstream
code gets a validated Node runtime version.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 155ef944-601b-4406-8a8c-cb81361e8dc7

📥 Commits

Reviewing files that changed from the base of the PR and between dc3f485 and 4fde235.

📒 Files selected for processing (4)
  • .github/workflows/benchmark.yml
  • .github/workflows/ci.yml
  • .github/workflows/release.yml
  • .meta-updater/src/index.ts
✅ Files skipped from review due to trivial changes (1)
  • .github/workflows/release.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
  • GitHub Check: Upload results
  • GitHub Check: Run benchmark on ubuntu-latest
  • GitHub Check: Compile & Lint
  • GitHub Check: Analyze (javascript)
  • GitHub Check: Compile & Lint
🧰 Additional context used
🪛 ast-grep (0.43.0)
.meta-updater/src/index.ts

[warning] 331-331: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(\\b${major}\\.\\d+\\.\\d+\\b, 'g')
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

🔇 Additional comments (7)
.github/workflows/benchmark.yml (1)

66-66: LGTM!

.github/workflows/ci.yml (1)

55-55: LGTM!

Also applies to: 64-64

.meta-updater/src/index.ts (5)

5-5: LGTM!


317-322: LGTM!


335-342: LGTM!


69-79: LGTM!


187-189: LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants