chore: Prepare Release v10.0.1 (auto-deploy)#8796
Merged
Merged
Conversation
bc8d2a6 to
f7682d8
Compare
f7682d8 to
14e00fe
Compare
1aa26ad to
e928c53
Compare
6ae1612 to
b588734
Compare
eb6d2a2 to
182fd52
Compare
45ef4a4 to
50922a5
Compare
50922a5 to
1bcde0f
Compare
1bcde0f to
fa354ce
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release v10.0.1
Release Notes
Details
Fixes
fix(cli): ignore closed readline after stdin (#8862)
fix(cli): ignore closed readline after stdin (#8862)
What changed
Wrap the stdin readline async iterator so CSpell ignores the terminal
readline was closederror that can occur after stdin has already yielded its file list.Other readline errors are still rethrown.
Why
Fixes #8778. On Node 24,
cspell lint --file-list stdincan finish processing a large stdin file list and then reportLinter Error: readline was closedinstead of completing cleanly.Tests
Added unit coverage for:
readline was closedafter readingI could not run the package test command locally in this sandbox because the checkout has no
node_modules, and Corepack is blocked from creating its user cache directory (EPERMunder~/.cache/node/corepack).fix(docs): replace `.json` with `package.json` in configuration docs (#8861)
fix(docs): replace
.jsonwithpackage.jsonin configuration docs (#8861)Fix
In the
package.jsonconfiguration section, the sentence referred to"the
.jsonfile" instead of "thepackage.jsonfile".Before: "CSpell looks for the configuration in the
cspellfield of the.jsonfile."After: "CSpell looks for the configuration in the
cspellfield of thepackage.jsonfile."fix: substitution display and ranges for output checking (#8838)
fix: substitution display and ranges for output checking (#8838)
Added a French dictionary and fixed the positioning logic for error reporting of replacement words.
fix: use env vars for GitHub context expressions in run steps to prevent injection (#8852)
fix: use env vars for GitHub context expressions in run steps to prevent injection (#8852)
Summary
This PR fixes script injection and secret exposure security issues found in GitHub Actions workflows and composite actions. In each case, a GitHub expression (
${{ ... }}) was used directly inside arun:shell command instead of being passed through an environment variable — the recommended approach per GitHub's security hardening guide.Issues Fixed
🔴 Secrets exposed in process arguments (visible via
ps aux)update-readme.ymlpnpm update-contributors ${{ secrets.GITHUB_TOKEN }}— token as CLI argreuseable-load-integrations-repo-list.yml./tester.js list --json $DIRTY -t ${{ secrets.GITHUB_TOKEN }}— token as CLI argbuild-version-release.yml"https://${{ secrets.GITHUB_TOKEN }}@github.com/..."— token inline in URL🔴 GITHUB_ENV injection (allows setting arbitrary environment variables)
set-env/action.yamlecho "${{ inputs.name }}<<delimiter" >> $GITHUB_ENV— name injected directly🟠 Shell script injection via unsanitised expressions in
run:stepsbuild-version-release.yml${{ steps.version.outputs.version }}in lerna/gh commandspublish.yml${{ steps.dist_tag.outputs.value }}in lerna publish commandintegration-test.yml${{ matrix.repo }}in shell run and jq selectorupdate-dictionaries.yml${{ matrix.repo }}in shell run and jq selectorupdate-integration-repositories.yml${{ matrix.repo }}and${{ github.event.inputs.ref }}in run stepsreuseable-pr-from-artifact.yml${{ inputs.patch_path }}in git apply commandupdate-dependencies-old.yml${{ toJson(github.event.inputs) }}in echo commandFix Pattern
For each issue, the expression is moved to an
env:block and referenced via shell variable:For jq queries using
matrix.repo, the injection-safe--argflag is used:Version Information
v10.0.110.0.1Summary