build(deps): bump codecov/codecov-action from 2 to 3 by dependabot[bot] · Pull Request #1 · thaJeztah/buildkit

dependabot · 2022-09-01T08:07:09Z

Bumps codecov/codecov-action from 2 to 3.

Release notes

Sourced from codecov/codecov-action's releases.

v3.0.0

Breaking Changes

#689 Bump to node16 and small fixes

Features

#688 Incorporate gcov arguments for the Codecov uploader

Dependencies

#548 build(deps-dev): bump jest-junit from 12.2.0 to 13.0.0

#603 [Snyk] Upgrade @actions/core from 1.5.0 to 1.6.0

#628 build(deps): bump node-fetch from 2.6.1 to 3.1.1

#634 build(deps): bump node-fetch from 3.1.1 to 3.2.0

#636 build(deps): bump openpgp from 5.0.1 to 5.1.0

#652 build(deps-dev): bump @vercel/ncc from 0.30.0 to 0.33.3

#653 build(deps-dev): bump @types/node from 16.11.21 to 17.0.18

#659 build(deps-dev): bump @types/jest from 27.4.0 to 27.4.1

#667 build(deps): bump actions/checkout from 2 to 3

#673 build(deps): bump node-fetch from 3.2.0 to 3.2.3

#683 build(deps): bump minimist from 1.2.5 to 1.2.6

#685 build(deps): bump @actions/github from 5.0.0 to 5.0.1

#681 build(deps-dev): bump @types/node from 17.0.18 to 17.0.23

#682 build(deps-dev): bump typescript from 4.5.5 to 4.6.3

#676 build(deps): bump @actions/exec from 1.1.0 to 1.1.1

#675 build(deps): bump openpgp from 5.1.0 to 5.2.1

v2.1.0

2.1.0

Features

#515 Allow specifying version of Codecov uploader

Dependencies

#499 build(deps-dev): bump @vercel/ncc from 0.29.0 to 0.30.0

#508 build(deps): bump openpgp from 5.0.0-5 to 5.0.0

#514 build(deps-dev): bump @types/node from 16.6.0 to 16.9.0

v2.0.3

2.0.3

Fixes

#464 Fix wrong link in the readme

#485 fix: Add override OS and linux default to platform

Dependencies

#447 build(deps): bump openpgp from 5.0.0-4 to 5.0.0-5

#458 build(deps-dev): bump eslint from 7.31.0 to 7.32.0

#465 build(deps-dev): bump @typescript-eslint/eslint-plugin from 4.28.4 to 4.29.1

#466 build(deps-dev): bump @typescript-eslint/parser from 4.28.4 to 4.29.1

#468 build(deps-dev): bump @types/jest from 26.0.24 to 27.0.0

#470 build(deps-dev): bump @types/node from 16.4.0 to 16.6.0

#472 build(deps): bump path-parse from 1.0.6 to 1.0.7

#473 build(deps-dev): bump @types/jest from 27.0.0 to 27.0.1

... (truncated)

Changelog

Sourced from codecov/codecov-action's changelog.

3.1.0

Features

#699 Incorporate xcode arguments for the Codecov uploader

Dependencies

#694 build(deps-dev): bump @vercel/ncc from 0.33.3 to 0.33.4

#696 build(deps-dev): bump @types/node from 17.0.23 to 17.0.25

#698 build(deps-dev): bump jest-junit from 13.0.0 to 13.2.0

3.0.0

Breaking Changes

#689 Bump to node16 and small fixes

Features

#688 Incorporate gcov arguments for the Codecov uploader

Dependencies

#548 build(deps-dev): bump jest-junit from 12.2.0 to 13.0.0

#603 [Snyk] Upgrade @actions/core from 1.5.0 to 1.6.0

#628 build(deps): bump node-fetch from 2.6.1 to 3.1.1

#634 build(deps): bump node-fetch from 3.1.1 to 3.2.0

#636 build(deps): bump openpgp from 5.0.1 to 5.1.0

#652 build(deps-dev): bump @vercel/ncc from 0.30.0 to 0.33.3

#653 build(deps-dev): bump @types/node from 16.11.21 to 17.0.18

#659 build(deps-dev): bump @types/jest from 27.4.0 to 27.4.1

#667 build(deps): bump actions/checkout from 2 to 3

#673 build(deps): bump node-fetch from 3.2.0 to 3.2.3

#683 build(deps): bump minimist from 1.2.5 to 1.2.6

#685 build(deps): bump @actions/github from 5.0.0 to 5.0.1

#681 build(deps-dev): bump @types/node from 17.0.18 to 17.0.23

#682 build(deps-dev): bump typescript from 4.5.5 to 4.6.3

#676 build(deps): bump @actions/exec from 1.1.0 to 1.1.1

#675 build(deps): bump openpgp from 5.1.0 to 5.2.1

2.1.0

Features

#515 Allow specifying version of Codecov uploader

Dependencies

#499 build(deps-dev): bump @vercel/ncc from 0.29.0 to 0.30.0

#508 build(deps): bump openpgp from 5.0.0-5 to 5.0.0

#514 build(deps-dev): bump @types/node from 16.6.0 to 16.9.0

2.0.3

Fixes

#464 Fix wrong link in the readme

#485 fix: Add override OS and linux default to platform

Dependencies

#447 build(deps): bump openpgp from 5.0.0-4 to 5.0.0-5

... (truncated)

Commits

81cd2dc Merge pull request #699 from codecov/feat-xcode
a03184e feat: add xcode support
6a6a9ae Merge pull request #694 from codecov/dependabot/npm_and_yarn/vercel/ncc-0.33.4
92a872a Merge pull request #696 from codecov/dependabot/npm_and_yarn/types/node-17.0.25
43a9c18 Merge pull request #698 from codecov/dependabot/npm_and_yarn/jest-junit-13.2.0
13ce822 Merge pull request #690 from codecov/ci-v3
4d6dbaa build(deps-dev): bump jest-junit from 13.0.0 to 13.2.0
98f0f19 build(deps-dev): bump @types/node from 17.0.23 to 17.0.25
d3021d9 build(deps-dev): bump @vercel/ncc from 0.33.3 to 0.33.4
2c83f35 Update makefile to v3
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 2 to 3. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md) - [Commits](codecov/codecov-action@v2...v3) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2022-09-01T08:07:10Z

The following labels could not be found: dependencies, bot.

dependabot · 2022-11-14T09:10:15Z

Looks like codecov/codecov-action is up-to-date now, so this is no longer needed.

…f v1.5.4 full diffs: - protocolbuffers/protobuf-go@v1.31.0...v1.33.0 - golang/protobuf@v1.5.3...v1.5.4 From the Go security announcement list; > Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in > the google.golang.org/protobuf/encoding/protojson package which could cause > the Unmarshal function to enter an infinite loop when handling some invalid > inputs. > > This condition could only occur when unmarshaling into a message which contains > a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown > option is set. Unmarshal now correctly returns an error when handling these > inputs. > > This is CVE-2024-24786. In a follow-up post; > A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown > option is set (as well as when unmarshaling into any message which contains a > google.protobuf.Any). There is no UnmarshalUnknown option. > > In addition, version 1.33.0 of google.golang.org/protobuf inadvertently > introduced an incompatibility with the older github.com/golang/protobuf > module. (golang/protobuf#1596) Users of the older > module should update to github.com/golang/protobuf@v1.5.4. govulncheck results shows that the `solver/errdefs` may hit this code: govulncheck ./... Scanning your code and 821 packages across 157 dependent modules for known vulnerabilities... === Symbol Results === Vulnerability #1: GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf More info: https://pkg.go.dev/vuln/GO-2024-2611 Module: google.golang.org/protobuf Found in: google.golang.org/protobuf@v1.31.0 Fixed in: google.golang.org/protobuf@v1.33.0 Example traces found: #1: solver/errdefs/solve.go:73:25: errdefs.Solve.UnmarshalJSON calls jsonpb.Unmarshal, which eventually calls json.Decoder.Peek #2: solver/errdefs/solve.go:73:25: errdefs.Solve.UnmarshalJSON calls jsonpb.Unmarshal, which eventually calls json.Decoder.Read #3: solver/errdefs/solve.go:73:25: errdefs.Solve.UnmarshalJSON calls jsonpb.Unmarshal, which eventually calls protojson.UnmarshalOptions.Unmarshal Your code is affected by 1 vulnerability from 1 module. This scan found no other vulnerabilities in packages you import or modules you require. Use '-show verbose' for more details. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

contains a fix for CVE-2024-45338 / https://go.dev/issue/70906, but it doesn't affect our codebase: govulncheck -show=verbose ./... ... Vulnerability #1: GO-2024-3333 Non-linear parsing of case-insensitive content in golang.org/x/net/html More info: https://pkg.go.dev/vuln/GO-2024-3333 Module: golang.org/x/net Found in: golang.org/x/net@v0.29.0 Fixed in: golang.org/x/net@v0.33.0 Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 1 vulnerability in modules you require, but your code doesn't appear to call these vulnerabilities. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

full diff: golang/crypto@v0.31.0...v0.35.0 Mostly just silencing scanners; code is not impacted by this CVE; govulncheck ./... === Symbol Results === Vulnerability #1: GO-2025-3487 Potential denial of service in golang.org/x/crypto More info: https://pkg.go.dev/vuln/GO-2025-3487 Module: golang.org/x/crypto Found in: golang.org/x/crypto@v0.31.0 Fixed in: golang.org/x/crypto@v0.35.0 Example traces found: #1: util/sshutil/keyscan.go:43:23: sshutil.SSHKeyScan calls ssh.Dial Your code is affected by 1 vulnerability from 1 module. This scan also found 0 vulnerabilities in packages you import and 1 vulnerability in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

dependabot Bot closed this Nov 14, 2022

dependabot Bot deleted the dependabot/github_actions/codecov/codecov-action-3 branch November 14, 2022 09:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump codecov/codecov-action from 2 to 3#1

build(deps): bump codecov/codecov-action from 2 to 3#1
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/github_actions/codecov/codecov-action-3

dependabot Bot commented on behalf of github Sep 1, 2022 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github Sep 1, 2022

Uh oh!

dependabot Bot commented on behalf of github Nov 14, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Sep 1, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v3.0.0

Breaking Changes

Features

Dependencies

v2.1.0

2.1.0

Features

Dependencies

v2.0.3

2.0.3

Fixes

Dependencies

3.1.0

Features

Dependencies

3.0.0

Breaking Changes

Features

Dependencies

2.1.0

Features

Dependencies

2.0.3

Fixes

Dependencies

Uh oh!

dependabot Bot commented on behalf of github Sep 1, 2022

Uh oh!

dependabot Bot commented on behalf of github Nov 14, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Sep 1, 2022 •

edited

Loading