Compare commits

...

24 Commits

Author SHA1 Message Date
Roman Iakovlev cdee0bc8c3 Bump octokit and related dependencies 2025-03-12 10:57:15 +00:00
Lewis Jones 0e562a634b Merge pull request #900 from actions/dependabot/npm_and_yarn/esbuild-0.25.0
Bump esbuild from 0.19.5 to 0.25.0
2025-03-07 11:49:50 +00:00
dependabot[bot] 2c5ec1eea8 Bump esbuild from 0.19.5 to 0.25.0
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.19.5 to 0.25.0.
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2023.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.19.5...v0.25.0)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-26 20:54:18 +00:00
Eric Sorenson bf0431a342 Merge pull request #893 from omahs/patch-1
Fix typos
2025-02-07 14:27:22 -08:00
omahs c26b132baa fix typos 2025-02-07 13:22:20 +01:00
omahs 3ffdd4d73e fix typos 2025-02-07 13:20:46 +01:00
Ashely Tenesaca ea2cae5127 Merge pull request #888 from ellenfieldn/allow-deny-package-removal
Allow deny package removal
2025-02-06 17:18:15 -05:00
Nathan Ellenfield dfe560420d fix formatting and dist 2025-02-05 15:50:50 -05:00
Nathan Ellenfield e4033dcc29 Merge remote-tracking branch 'origin/main' into allow-deny-package-removal 2025-02-04 13:33:03 -05:00
Ashely Tenesaca 92129e58e4 Merge pull request #891 from actions/ashelytc/server-url-fix
DR Action should link to the proxima stamp when appropriate in error messages
2025-02-03 14:46:11 -05:00
Ashely Tenesaca bf9bc3f2a6 generate dist code 2025-02-03 17:25:46 +00:00
Ashely Tenesaca d703cf58c3 replace server url with variable 2025-02-03 15:57:21 +00:00
Nathan Ellenfield c80eb9894b fixit 2025-01-27 16:01:10 -05:00
Nathan Ellenfield 5e7a6ffc7d fix: Allow removal denied packages 2025-01-27 16:00:09 -05:00
Ahmed ElMallah 67ca5cc413 Merge pull request #877 from actions/dependabot/npm_and_yarn/undici-5.28.5
Bump undici from 5.28.4 to 5.28.5
2025-01-24 12:04:24 -08:00
Ahmed ElMallah 8992b0e1c7 updating dist code 2025-01-24 20:01:21 +00:00
Ahmed ElMallah 5e9a56c6de Merge pull request #878 from actions/dependabot/github_actions/actions/stale-9.1.0
Bump actions/stale from 9.0.0 to 9.1.0
2025-01-24 11:58:00 -08:00
dependabot[bot] 9cd1f01f7f Bump actions/stale from 9.0.0 to 9.1.0
Bumps [actions/stale](https://github.com/actions/stale) from 9.0.0 to 9.1.0.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/stale/compare/v9.0.0...v9.1.0)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-24 19:52:48 +00:00
Ahmed ElMallah a0be92bfc2 Merge pull request #876 from actions/ahmed3lmallah/dependabot-updates
Grouping minor and patch dependabot updates to lessen the number of PRs
2025-01-24 11:52:11 -08:00
dependabot[bot] 6ec8e13b9a Bump undici from 5.28.4 to 5.28.5
Bumps [undici](https://github.com/nodejs/undici) from 5.28.4 to 5.28.5.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.4...v5.28.5)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-24 17:39:09 +00:00
Ahmed ElMallah c9bb42fdbf grouping minor and patch updates to lessen the number of PRs 2025-01-23 23:01:53 +00:00
Ahmed ElMallah b109bc8c95 Merge pull request #870 from actions/ahmed3lmallah/updating-dependencies
Updating multiple dependency versions
2025-01-23 14:00:10 -08:00
Ahmed ElMallah 5f24a51147 Updating dist folder 2025-01-23 21:07:48 +00:00
Ahmed ElMallah ef281d4e24 Updating multiple dependency versions 2025-01-23 21:07:39 +00:00
11 changed files with 823 additions and 422 deletions
+5
View File
@@ -12,3 +12,8 @@ updates:
ignore:
- dependency-name: '@types/node'
update-types: ['version-update:semver-major']
groups:
minor-updates:
update-types:
- "minor"
- "patch"
+1 -1
View File
@@ -12,7 +12,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9.0.0
- uses: actions/stale@v9.1.0
name: Clean up stale PRs and Issues
with:
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity for 180 days. You can: comment on the PR or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
+3 -3
View File
@@ -35,11 +35,11 @@ Ready to contribute to `dependency-review-action`? Here is some information to
This action makes an authenticated query to the [Dependency Review API](https://docs.github.com/en/rest/dependency-graph/dependency-review) endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`) to find out the set of added and removed dependencies for each manifest.
The action then evaluates the differences between the pushes based on the the rules defined in the action configuration, and summarizes the differences and any violations of the rules you have defined as a comment in the pull request that triggered it and the action outputs.
The action then evaluates the differences between the pushes based on the rules defined in the action configuration, and summarizes the differences and any violations of the rules you have defined as a comment in the pull request that triggered it and the action outputs.
### Local Development
Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed, minimum version 18.
Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed, minimum version 20.
#### Bootstrapping the project
@@ -81,7 +81,7 @@ $ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_
npm run test
```
_Note_: We don't a very comprehensive test suite, so any contributions to the existing tests are welcome!
_Note_: We don't have a very comprehensive test suite, so any contributions to the existing tests are welcome!
### Submitting a pull request
+59
View File
@@ -134,3 +134,62 @@ test('allows packages not defined in the deny packages and groups list', async (
expect(deniedChanges.length).toEqual(0)
})
test('deny packages does not prevent removal of denied packages', async () => {
const changes: Changes = [
createTestChange({
change_type: 'added',
name: 'deny-by-name-and-version',
version: '1.0.0',
ecosystem: 'npm'
}),
createTestChange({
change_type: 'removed',
name: 'pass-by-name-and-version',
version: '1.0.0',
ecosystem: 'npm'
}),
createTestChange({
change_type: 'added',
name: 'deny-by-name',
version: '1.0.0',
ecosystem: 'npm'
}),
createTestChange({
change_type: 'removed',
name: 'pass-by-name',
version: '1.0.0',
ecosystem: 'npm'
}),
createTestChange({
change_type: 'added',
package_url: 'pkg:npm/org.test.deny.by.namespace/only@1.0.0',
ecosystem: 'npm'
}),
createTestChange({
change_type: 'removed',
package_url: 'pkg:npm/org.test.pass.by.namespace/only@1.0.0',
ecosystem: 'npm'
})
]
const deniedPackages = createTestPURLs([
'pkg:npm/org.test.deny.by/deny-by-name-and-version@1.0.0',
'pkg:npm/org.test.pass.by/pass-by-name-and-version@1.0.0',
'pkg:npm/org.test.deny.by/deny-by-name',
'pkg:npm/org.test.pass.by/pass-by-name'
])
const deniedGroups = createTestPURLs([
'pkg:npm/org.test.deny.by.namespace/',
'pkg:npm/org.test.pass.by.namespace/'
])
const deniedChanges = await getDeniedChanges(
changes,
deniedPackages,
deniedGroups
)
expect(deniedChanges.length).toEqual(3)
expect(deniedChanges[0]).toBe(changes[0])
expect(deniedChanges[1]).toBe(changes[2])
expect(deniedChanges[2]).toBe(changes[4])
})
Generated Vendored
+255 -76
View File
@@ -182,6 +182,9 @@ function getDeniedChanges(changes_1) {
return __awaiter(this, arguments, void 0, function* (changes, deniedPackages = [], deniedGroups = []) {
const changesDenied = [];
for (const change of changes) {
if (change.change_type === 'removed') {
continue;
}
for (const denied of deniedPackages) {
if ((!denied.version || change.version === denied.version) &&
change.name === denied.name) {
@@ -720,7 +723,7 @@ function run() {
core.setFailed(`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`);
}
else if (error instanceof request_error_1.RequestError && error.status === 403) {
core.setFailed(`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`);
core.setFailed(`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`);
}
else {
if (error instanceof Error) {
@@ -6977,7 +6980,7 @@ var import_graphql = __nccwpck_require__(7);
var import_auth_token = __nccwpck_require__(7864);
// pkg/dist-src/version.js
var VERSION = "5.0.2";
var VERSION = "5.2.0";
// pkg/dist-src/index.js
var noop = () => {
@@ -7144,7 +7147,7 @@ module.exports = __toCommonJS(dist_src_exports);
var import_universal_user_agent = __nccwpck_require__(3843);
// pkg/dist-src/version.js
var VERSION = "9.0.4";
var VERSION = "9.0.6";
// pkg/dist-src/defaults.js
var userAgent = `octokit-endpoint.js/${VERSION} ${(0, import_universal_user_agent.getUserAgent)()}`;
@@ -7249,9 +7252,9 @@ function addQueryParameters(url, parameters) {
}
// pkg/dist-src/util/extract-url-variable-names.js
var urlVariableRegex = /\{[^}]+\}/g;
var urlVariableRegex = /\{[^{}}]+\}/g;
function removeNonChars(variableName) {
return variableName.replace(/^\W+|\W+$/g, "").split(/,/);
return variableName.replace(/(?:^\W+)|(?:(?<!\W)\W+$)/g, "").split(/,/);
}
function extractUrlVariableNames(url) {
const matches = url.match(urlVariableRegex);
@@ -7437,7 +7440,7 @@ function parse(options) {
}
if (url.endsWith("/graphql")) {
if (options.mediaType.previews?.length) {
const previewsFromAcceptHeader = headers.accept.match(/[\w-]+(?=-preview)/g) || [];
const previewsFromAcceptHeader = headers.accept.match(/(?<![\w-])[\w-]+(?=-preview)/g) || [];
headers.accept = previewsFromAcceptHeader.concat(options.mediaType.previews).map((preview) => {
const format = options.mediaType.format ? `.${options.mediaType.format}` : "+json";
return `application/vnd.github.${preview}-preview${format}`;
@@ -7518,18 +7521,18 @@ var __copyProps = (to, from, except, desc) => {
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
// pkg/dist-src/index.js
var dist_src_exports = {};
__export(dist_src_exports, {
var index_exports = {};
__export(index_exports, {
GraphqlResponseError: () => GraphqlResponseError,
graphql: () => graphql2,
withCustomRequest: () => withCustomRequest
});
module.exports = __toCommonJS(dist_src_exports);
module.exports = __toCommonJS(index_exports);
var import_request3 = __nccwpck_require__(8636);
var import_universal_user_agent = __nccwpck_require__(3843);
// pkg/dist-src/version.js
var VERSION = "7.0.2";
var VERSION = "7.1.1";
// pkg/dist-src/with-defaults.js
var import_request2 = __nccwpck_require__(8636);
@@ -7577,8 +7580,7 @@ function graphql(request2, query, options) {
);
}
for (const key in options) {
if (!FORBIDDEN_VARIABLE_OPTIONS.includes(key))
continue;
if (!FORBIDDEN_VARIABLE_OPTIONS.includes(key)) continue;
return Promise.reject(
new Error(
`[@octokit/graphql] "${key}" cannot be used as variable name`
@@ -11713,7 +11715,7 @@ async function wrapRequest(state, octokit, request, options) {
}
async function requestWithGraphqlErrorHandling(state, octokit, request, options) {
const response = await request(request, options);
if (response.data && response.data.errors && /Something went wrong while executing your query/.test(
if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
response.data.errors[0].message
)) {
const error = new import_request_error.RequestError(response.data.errors[0].message, 500, {
@@ -11726,7 +11728,7 @@ async function requestWithGraphqlErrorHandling(state, octokit, request, options)
}
// pkg/dist-src/index.js
var VERSION = "6.0.1";
var VERSION = "6.1.0";
function retry(octokit, octokitOptions) {
const state = Object.assign(
{
@@ -12079,7 +12081,7 @@ var RequestError = class extends Error {
if (options.request.headers.authorization) {
requestCopy.headers = Object.assign({}, options.request.headers, {
authorization: options.request.headers.authorization.replace(
/ .*$/,
/(?<! ) .*$/,
" [REDACTED]"
)
});
@@ -12147,7 +12149,7 @@ var import_endpoint = __nccwpck_require__(4471);
var import_universal_user_agent = __nccwpck_require__(3843);
// pkg/dist-src/version.js
var VERSION = "8.1.6";
var VERSION = "8.4.1";
// pkg/dist-src/is-plain-object.js
function isPlainObject(value) {
@@ -12172,7 +12174,7 @@ function getBufferResponse(response) {
// pkg/dist-src/fetch-wrapper.js
function fetchWrapper(requestOptions) {
var _a, _b, _c;
var _a, _b, _c, _d;
const log = requestOptions.request && requestOptions.request.log ? requestOptions.request.log : console;
const parseSuccessResponseBody = ((_a = requestOptions.request) == null ? void 0 : _a.parseSuccessResponseBody) !== false;
if (isPlainObject(requestOptions.body) || Array.isArray(requestOptions.body)) {
@@ -12193,8 +12195,9 @@ function fetchWrapper(requestOptions) {
return fetch(requestOptions.url, {
method: requestOptions.method,
body: requestOptions.body,
redirect: (_c = requestOptions.request) == null ? void 0 : _c.redirect,
headers: requestOptions.headers,
signal: (_c = requestOptions.request) == null ? void 0 : _c.signal,
signal: (_d = requestOptions.request) == null ? void 0 : _d.signal,
// duplex must be set if request.body is ReadableStream or Async Iterables.
// See https://fetch.spec.whatwg.org/#dom-requestinit-duplex.
...requestOptions.body && { duplex: "half" }
@@ -12205,7 +12208,7 @@ function fetchWrapper(requestOptions) {
headers[keyAndValue[0]] = keyAndValue[1];
}
if ("deprecation" in headers) {
const matches = headers.link && headers.link.match(/<([^>]+)>; rel="deprecation"/);
const matches = headers.link && headers.link.match(/<([^<>]+)>; rel="deprecation"/);
const deprecationLink = matches && matches.pop();
log.warn(
`[@octokit/request] "${requestOptions.method} ${requestOptions.url}" is deprecated. It is scheduled to be removed on ${headers.sunset}${deprecationLink ? `. See ${deprecationLink}` : ""}`
@@ -12291,11 +12294,17 @@ async function getResponseData(response) {
function toErrorMessage(data) {
if (typeof data === "string")
return data;
let suffix;
if ("documentation_url" in data) {
suffix = ` - ${data.documentation_url}`;
} else {
suffix = "";
}
if ("message" in data) {
if (Array.isArray(data.errors)) {
return `${data.message}: ${data.errors.map(JSON.stringify).join(", ")}`;
return `${data.message}: ${data.errors.map(JSON.stringify).join(", ")}${suffix}`;
}
return data.message;
return `${data.message}${suffix}`;
}
return `Unknown error: ${JSON.stringify(data)}`;
}
@@ -30272,6 +30281,14 @@ const { isUint8Array, isArrayBuffer } = __nccwpck_require__(8253)
const { File: UndiciFile } = __nccwpck_require__(3041)
const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(4322)
let random
try {
const crypto = __nccwpck_require__(7598)
random = (max) => crypto.randomInt(0, max)
} catch {
random = (max) => Math.floor(Math.random(max))
}
let ReadableStream = globalThis.ReadableStream
/** @type {globalThis['File']} */
@@ -30357,7 +30374,7 @@ function extractBody (object, keepalive = false) {
// Set source to a copy of the bytes held by object.
source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength))
} else if (util.isFormDataLike(object)) {
const boundary = `----formdata-undici-0${`${Math.floor(Math.random() * 1e11)}`.padStart(11, '0')}`
const boundary = `----formdata-undici-0${`${random(1e11)}`.padStart(11, '0')}`
const prefix = `--${boundary}\r\nContent-Disposition: form-data`
/*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */
@@ -45170,6 +45187,9 @@ const quotelessJson = (obj) => {
};
exports.quotelessJson = quotelessJson;
class ZodError extends Error {
get errors() {
return this.issues;
}
constructor(issues) {
super();
this.issues = [];
@@ -45190,9 +45210,6 @@ class ZodError extends Error {
this.name = "ZodError";
this.issues = issues;
}
get errors() {
return this.issues;
}
format(_mapper) {
const mapper = _mapper ||
function (issue) {
@@ -45315,7 +45332,11 @@ exports.getErrorMap = getErrorMap;
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
@@ -45345,7 +45366,7 @@ var errorUtil;
(function (errorUtil) {
errorUtil.errToObj = (message) => typeof message === "string" ? { message } : message || {};
errorUtil.toString = (message) => typeof message === "string" ? message : message === null || message === void 0 ? void 0 : message.message;
})(errorUtil = exports.errorUtil || (exports.errorUtil = {}));
})(errorUtil || (exports.errorUtil = errorUtil = {}));
/***/ }),
@@ -45399,9 +45420,9 @@ function addIssueToContext(ctx, issueData) {
data: ctx.data,
path: ctx.path,
errorMaps: [
ctx.common.contextualErrorMap,
ctx.schemaErrorMap,
overrideMap,
ctx.common.contextualErrorMap, // contextual error map is first priority
ctx.schemaErrorMap, // then schema-bound map if available
overrideMap, // then global override map
overrideMap === en_1.default ? undefined : en_1.default, // then global default map
].filter((x) => !!x),
});
@@ -45562,7 +45583,7 @@ var util;
}
return value;
};
})(util = exports.util || (exports.util = {}));
})(util || (exports.util = util = {}));
var objectUtil;
(function (objectUtil) {
objectUtil.mergeShapes = (first, second) => {
@@ -45571,7 +45592,7 @@ var objectUtil;
...second, // second overwrites first
};
};
})(objectUtil = exports.objectUtil || (exports.objectUtil = {}));
})(objectUtil || (exports.objectUtil = objectUtil = {}));
exports.ZodParsedType = util.arrayToEnum([
"string",
"nan",
@@ -45650,7 +45671,11 @@ exports.getParsedType = getParsedType;
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
@@ -45907,35 +45932,6 @@ function processCreateParams(params) {
return { errorMap: customMap, description };
}
class ZodType {
constructor(def) {
/** Alias of safeParseAsync */
this.spa = this.safeParseAsync;
this._def = def;
this.parse = this.parse.bind(this);
this.safeParse = this.safeParse.bind(this);
this.parseAsync = this.parseAsync.bind(this);
this.safeParseAsync = this.safeParseAsync.bind(this);
this.spa = this.spa.bind(this);
this.refine = this.refine.bind(this);
this.refinement = this.refinement.bind(this);
this.superRefine = this.superRefine.bind(this);
this.optional = this.optional.bind(this);
this.nullable = this.nullable.bind(this);
this.nullish = this.nullish.bind(this);
this.array = this.array.bind(this);
this.promise = this.promise.bind(this);
this.or = this.or.bind(this);
this.and = this.and.bind(this);
this.transform = this.transform.bind(this);
this.brand = this.brand.bind(this);
this.default = this.default.bind(this);
this.catch = this.catch.bind(this);
this.describe = this.describe.bind(this);
this.pipe = this.pipe.bind(this);
this.readonly = this.readonly.bind(this);
this.isNullable = this.isNullable.bind(this);
this.isOptional = this.isOptional.bind(this);
}
get description() {
return this._def.description;
}
@@ -45999,6 +45995,48 @@ class ZodType {
const result = this._parseSync({ data, path: ctx.path, parent: ctx });
return handleResult(ctx, result);
}
"~validate"(data) {
var _a, _b;
const ctx = {
common: {
issues: [],
async: !!this["~standard"].async,
},
path: [],
schemaErrorMap: this._def.errorMap,
parent: null,
data,
parsedType: (0, util_1.getParsedType)(data),
};
if (!this["~standard"].async) {
try {
const result = this._parseSync({ data, path: [], parent: ctx });
return (0, parseUtil_1.isValid)(result)
? {
value: result.value,
}
: {
issues: ctx.common.issues,
};
}
catch (err) {
if ((_b = (_a = err === null || err === void 0 ? void 0 : err.message) === null || _a === void 0 ? void 0 : _a.toLowerCase()) === null || _b === void 0 ? void 0 : _b.includes("encountered")) {
this["~standard"].async = true;
}
ctx.common = {
issues: [],
async: true,
};
}
}
return this._parseAsync({ data, path: [], parent: ctx }).then((result) => (0, parseUtil_1.isValid)(result)
? {
value: result.value,
}
: {
issues: ctx.common.issues,
});
}
async parseAsync(data, params) {
const result = await this.safeParseAsync(data, params);
if (result.success)
@@ -46085,6 +46123,40 @@ class ZodType {
superRefine(refinement) {
return this._refinement(refinement);
}
constructor(def) {
/** Alias of safeParseAsync */
this.spa = this.safeParseAsync;
this._def = def;
this.parse = this.parse.bind(this);
this.safeParse = this.safeParse.bind(this);
this.parseAsync = this.parseAsync.bind(this);
this.safeParseAsync = this.safeParseAsync.bind(this);
this.spa = this.spa.bind(this);
this.refine = this.refine.bind(this);
this.refinement = this.refinement.bind(this);
this.superRefine = this.superRefine.bind(this);
this.optional = this.optional.bind(this);
this.nullable = this.nullable.bind(this);
this.nullish = this.nullish.bind(this);
this.array = this.array.bind(this);
this.promise = this.promise.bind(this);
this.or = this.or.bind(this);
this.and = this.and.bind(this);
this.transform = this.transform.bind(this);
this.brand = this.brand.bind(this);
this.default = this.default.bind(this);
this.catch = this.catch.bind(this);
this.describe = this.describe.bind(this);
this.pipe = this.pipe.bind(this);
this.readonly = this.readonly.bind(this);
this.isNullable = this.isNullable.bind(this);
this.isOptional = this.isOptional.bind(this);
this["~standard"] = {
version: 1,
vendor: "zod",
validate: (data) => this["~validate"](data),
};
}
optional() {
return ZodOptional.create(this, this._def);
}
@@ -46095,7 +46167,7 @@ class ZodType {
return this.nullable().optional();
}
array() {
return ZodArray.create(this, this._def);
return ZodArray.create(this);
}
promise() {
return ZodPromise.create(this, this._def);
@@ -46164,11 +46236,12 @@ exports.Schema = ZodType;
exports.ZodSchema = ZodType;
const cuidRegex = /^c[^\s-]{8,}$/i;
const cuid2Regex = /^[0-9a-z]+$/;
const ulidRegex = /^[0-9A-HJKMNP-TV-Z]{26}$/;
const ulidRegex = /^[0-9A-HJKMNP-TV-Z]{26}$/i;
// const uuidRegex =
// /^([a-f0-9]{8}-[a-f0-9]{4}-[1-5][a-f0-9]{3}-[a-f0-9]{4}-[a-f0-9]{12}|00000000-0000-0000-0000-000000000000)$/i;
const uuidRegex = /^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$/i;
const nanoidRegex = /^[a-z0-9_-]{21}$/i;
const jwtRegex = /^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$/;
const durationRegex = /^[-+]?P(?!$)(?:(?:[-+]?\d+Y)|(?:[-+]?\d+[.,]\d+Y$))?(?:(?:[-+]?\d+M)|(?:[-+]?\d+[.,]\d+M$))?(?:(?:[-+]?\d+W)|(?:[-+]?\d+[.,]\d+W$))?(?:(?:[-+]?\d+D)|(?:[-+]?\d+[.,]\d+D$))?(?:T(?=[\d+-])(?:(?:[-+]?\d+H)|(?:[-+]?\d+[.,]\d+H$))?(?:(?:[-+]?\d+M)|(?:[-+]?\d+[.,]\d+M$))?(?:[-+]?\d+(?:[.,]\d+)?S)?)??$/;
// from https://stackoverflow.com/a/46181/1550155
// old version: too slow, didn't support unicode
@@ -46190,9 +46263,15 @@ const _emojiRegex = `^(\\p{Extended_Pictographic}|\\p{Emoji_Component})+$`;
let emojiRegex;
// faster, simpler, safer
const ipv4Regex = /^(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])$/;
const ipv6Regex = /^(([a-f0-9]{1,4}:){7}|::([a-f0-9]{1,4}:){0,6}|([a-f0-9]{1,4}:){1}:([a-f0-9]{1,4}:){0,5}|([a-f0-9]{1,4}:){2}:([a-f0-9]{1,4}:){0,4}|([a-f0-9]{1,4}:){3}:([a-f0-9]{1,4}:){0,3}|([a-f0-9]{1,4}:){4}:([a-f0-9]{1,4}:){0,2}|([a-f0-9]{1,4}:){5}:([a-f0-9]{1,4}:){0,1})([a-f0-9]{1,4}|(((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))\.){3}((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2})))$/;
const ipv4CidrRegex = /^(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\/(3[0-2]|[12]?[0-9])$/;
// const ipv6Regex =
// /^(([a-f0-9]{1,4}:){7}|::([a-f0-9]{1,4}:){0,6}|([a-f0-9]{1,4}:){1}:([a-f0-9]{1,4}:){0,5}|([a-f0-9]{1,4}:){2}:([a-f0-9]{1,4}:){0,4}|([a-f0-9]{1,4}:){3}:([a-f0-9]{1,4}:){0,3}|([a-f0-9]{1,4}:){4}:([a-f0-9]{1,4}:){0,2}|([a-f0-9]{1,4}:){5}:([a-f0-9]{1,4}:){0,1})([a-f0-9]{1,4}|(((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))\.){3}((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2})))$/;
const ipv6Regex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$/;
const ipv6CidrRegex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/(12[0-8]|1[01][0-9]|[1-9]?[0-9])$/;
// https://stackoverflow.com/questions/7860392/determine-if-string-is-in-base64-using-javascript
const base64Regex = /^([0-9a-zA-Z+/]{4})*(([0-9a-zA-Z+/]{2}==)|([0-9a-zA-Z+/]{3}=))?$/;
// https://base64.guru/standards/base64url
const base64urlRegex = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/;
// simple
// const dateRegexSource = `\\d{4}-\\d{2}-\\d{2}`;
// no leap year validation
@@ -46234,6 +46313,38 @@ function isValidIP(ip, version) {
}
return false;
}
function isValidJWT(jwt, alg) {
if (!jwtRegex.test(jwt))
return false;
try {
const [header] = jwt.split(".");
// Convert base64url to base64
const base64 = header
.replace(/-/g, "+")
.replace(/_/g, "/")
.padEnd(header.length + ((4 - (header.length % 4)) % 4), "=");
const decoded = JSON.parse(atob(base64));
if (typeof decoded !== "object" || decoded === null)
return false;
if (!decoded.typ || !decoded.alg)
return false;
if (alg && decoded.alg !== alg)
return false;
return true;
}
catch (_a) {
return false;
}
}
function isValidCidr(ip, version) {
if ((version === "v4" || !version) && ipv4CidrRegex.test(ip)) {
return true;
}
if ((version === "v6" || !version) && ipv6CidrRegex.test(ip)) {
return true;
}
return false;
}
class ZodString extends ZodType {
_parse(input) {
if (this._def.coerce) {
@@ -46515,6 +46626,28 @@ class ZodString extends ZodType {
status.dirty();
}
}
else if (check.kind === "jwt") {
if (!isValidJWT(input.data, check.alg)) {
ctx = this._getOrReturnCtx(input, ctx);
(0, parseUtil_1.addIssueToContext)(ctx, {
validation: "jwt",
code: ZodError_1.ZodIssueCode.invalid_string,
message: check.message,
});
status.dirty();
}
}
else if (check.kind === "cidr") {
if (!isValidCidr(input.data, check.version)) {
ctx = this._getOrReturnCtx(input, ctx);
(0, parseUtil_1.addIssueToContext)(ctx, {
validation: "cidr",
code: ZodError_1.ZodIssueCode.invalid_string,
message: check.message,
});
status.dirty();
}
}
else if (check.kind === "base64") {
if (!base64Regex.test(input.data)) {
ctx = this._getOrReturnCtx(input, ctx);
@@ -46526,6 +46659,17 @@ class ZodString extends ZodType {
status.dirty();
}
}
else if (check.kind === "base64url") {
if (!base64urlRegex.test(input.data)) {
ctx = this._getOrReturnCtx(input, ctx);
(0, parseUtil_1.addIssueToContext)(ctx, {
validation: "base64url",
code: ZodError_1.ZodIssueCode.invalid_string,
message: check.message,
});
status.dirty();
}
}
else {
util_1.util.assertNever(check);
}
@@ -46572,9 +46716,22 @@ class ZodString extends ZodType {
base64(message) {
return this._addCheck({ kind: "base64", ...errorUtil_1.errorUtil.errToObj(message) });
}
base64url(message) {
// base64url encoding is a modification of base64 that can safely be used in URLs and filenames
return this._addCheck({
kind: "base64url",
...errorUtil_1.errorUtil.errToObj(message),
});
}
jwt(options) {
return this._addCheck({ kind: "jwt", ...errorUtil_1.errorUtil.errToObj(options) });
}
ip(options) {
return this._addCheck({ kind: "ip", ...errorUtil_1.errorUtil.errToObj(options) });
}
cidr(options) {
return this._addCheck({ kind: "cidr", ...errorUtil_1.errorUtil.errToObj(options) });
}
datetime(options) {
var _a, _b;
if (typeof options === "string") {
@@ -46665,8 +46822,7 @@ class ZodString extends ZodType {
});
}
/**
* @deprecated Use z.string().min(1) instead.
* @see {@link ZodString.min}
* Equivalent to `.min(1)`
*/
nonempty(message) {
return this.min(1, errorUtil_1.errorUtil.errToObj(message));
@@ -46728,9 +46884,16 @@ class ZodString extends ZodType {
get isIP() {
return !!this._def.checks.find((ch) => ch.kind === "ip");
}
get isCIDR() {
return !!this._def.checks.find((ch) => ch.kind === "cidr");
}
get isBase64() {
return !!this._def.checks.find((ch) => ch.kind === "base64");
}
get isBase64url() {
// base64url encoding is a modification of base64 that can safely be used in URLs and filenames
return !!this._def.checks.find((ch) => ch.kind === "base64url");
}
get minLength() {
let min = null;
for (const ch of this._def.checks) {
@@ -47025,17 +47188,16 @@ class ZodBigInt extends ZodType {
}
_parse(input) {
if (this._def.coerce) {
input.data = BigInt(input.data);
try {
input.data = BigInt(input.data);
}
catch (_a) {
return this._getInvalidInput(input);
}
}
const parsedType = this._getType(input);
if (parsedType !== util_1.ZodParsedType.bigint) {
const ctx = this._getOrReturnCtx(input);
(0, parseUtil_1.addIssueToContext)(ctx, {
code: ZodError_1.ZodIssueCode.invalid_type,
expected: util_1.ZodParsedType.bigint,
received: ctx.parsedType,
});
return parseUtil_1.INVALID;
return this._getInvalidInput(input);
}
let ctx = undefined;
const status = new parseUtil_1.ParseStatus();
@@ -47089,6 +47251,15 @@ class ZodBigInt extends ZodType {
}
return { status: status.value, value: input.data };
}
_getInvalidInput(input) {
const ctx = this._getOrReturnCtx(input);
(0, parseUtil_1.addIssueToContext)(ctx, {
code: ZodError_1.ZodIssueCode.invalid_type,
expected: util_1.ZodParsedType.bigint,
received: ctx.parsedType,
});
return parseUtil_1.INVALID;
}
gte(value, message) {
return this.setLimit("min", value, true, errorUtil_1.errorUtil.toString(message));
}
@@ -49401,7 +49572,7 @@ var ZodFirstPartyTypeKind;
ZodFirstPartyTypeKind["ZodBranded"] = "ZodBranded";
ZodFirstPartyTypeKind["ZodPipeline"] = "ZodPipeline";
ZodFirstPartyTypeKind["ZodReadonly"] = "ZodReadonly";
})(ZodFirstPartyTypeKind = exports.ZodFirstPartyTypeKind || (exports.ZodFirstPartyTypeKind = {}));
})(ZodFirstPartyTypeKind || (exports.ZodFirstPartyTypeKind = ZodFirstPartyTypeKind = {}));
// requires TS 4.4+
class Class {
constructor(..._) { }
@@ -50397,6 +50568,14 @@ module.exports = require("net");
/***/ }),
/***/ 7598:
/***/ ((module) => {
"use strict";
module.exports = require("node:crypto");
/***/ }),
/***/ 8474:
/***/ ((module) => {
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+3 -3
View File
@@ -1,4 +1,4 @@
# Examples on how to use the Dependency Review Action
# Examples of how to use the Dependency Review Action
## Basic Usage
@@ -89,7 +89,7 @@ The following example will use a configuration file from an external public GitH
Let's say that the configuration file is located in `github/octorepo/dependency-review-config.yml@main`
The Dependancy Review Action workflow file will then look like this:
The Dependency Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
@@ -116,7 +116,7 @@ The following example will use a configuration file from an external private Gti
Let's say that the configuration file is located in `github/octorepo-private/dependency-review-config.yml@main`
The Dependancy Review Action workflow file will then look like this:
The Dependency Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
+483 -330
View File
File diff suppressed because it is too large Load Diff
+8 -7
View File
@@ -27,18 +27,18 @@
"dependencies": {
"@actions/core": "^1.10.1",
"@actions/github": "^6.0.0",
"@octokit/plugin-retry": "^6.0.1",
"@octokit/request-error": "^5.0.1",
"@octokit/plugin-retry": "^6.1.0",
"@octokit/request-error": "^5.1.1",
"@onebeyond/spdx-license-satisfies": "^1.0.1",
"ansi-styles": "^6.2.1",
"got": "^14.4.3",
"got": "^14.4.5",
"jest": "^29.7.0",
"octokit": "^3.1.2",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"ts-jest": "^29.2.5",
"yaml": "^2.3.4",
"zod": "^3.23.8"
"zod": "^3.24.1"
},
"devDependencies": {
"@types/jest": "^29.5.12",
@@ -48,17 +48,18 @@
"@typescript-eslint/eslint-plugin": "^6.21.0",
"@typescript-eslint/parser": "^6.21.0",
"@vercel/ncc": "^0.38.3",
"esbuild-register": "^3.5.0",
"esbuild-register": "^3.6.0",
"eslint": "^8.57.0",
"eslint-plugin-github": "^4.10.2",
"eslint-plugin-jest": "^28.8.3",
"eslint-plugin-prettier": "^5.1.3",
"js-yaml": "^4.1.0",
"nodemon": "^3.1.7",
"nodemon": "^3.1.9",
"prettier": "3.2.5",
"typescript": "^5.4.5"
},
"overrides": {
"cross-spawn": ">=7.0.5"
"cross-spawn": ">=7.0.5",
"@octokit/request-error@5.0.1": "5.1.1"
}
}
+4
View File
@@ -10,6 +10,10 @@ export async function getDeniedChanges(
const changesDenied: Change[] = []
for (const change of changes) {
if (change.change_type === 'removed') {
continue
}
for (const denied of deniedPackages) {
if (
(!denied.version || change.version === denied.version) &&
+1 -1
View File
@@ -196,7 +196,7 @@ async function run(): Promise<void> {
)
} else if (error instanceof RequestError && error.status === 403) {
core.setFailed(
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
)
} else {
if (error instanceof Error) {