Bump word-wrap from 1.2.3 to 1.2.5 in /subhub-link-checker#425
Bump word-wrap from 1.2.3 to 1.2.5 in /subhub-link-checker#425dependabot[bot] wants to merge 2143 commits intomasterfrom
Conversation
Expandable page part
Feature/rsm 2358 update text
Add capabilities navbar link
Change activities label to research stage
Bugfix/update csp
Fix failed start up due to Contentful type changes
…search-stage-url RSM-3036: stage: replace search with url
…rsion Update linting.yml
Bumps [word-wrap](https://github.com/jonschlinkert/word-wrap) from 1.2.3 to 1.2.5. - [Release notes](https://github.com/jonschlinkert/word-wrap/releases) - [Commits](jonschlinkert/word-wrap@1.2.3...1.2.5) --- updated-dependencies: - dependency-name: word-wrap dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
lugn621
force-pushed
the
dependabot/npm_and_yarn/subhub-link-checker/word-wrap-1.2.5
branch
from
53abc9b to
5309e62
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 18 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci --force | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, the fix is to explicitly define a permissions block for the workflow or for the run-linters job so that the automatically provisioned GITHUB_TOKEN only has the minimal required scopes. For a pure lint job that only needs to read the code, contents: read is sufficient.
The best minimal change without altering existing functionality is to add a permissions block at the workflow root (top level, alongside name and on). This will apply to all jobs (currently just run-linters) that don’t override permissions. We should set:
permissions:
contents: readThis documents that the workflow only needs read access to repo contents and ensures it remains constrained even if repository or organization defaults change later. Concretely, in .github/workflows/linting.yml, insert the permissions block between the name: Lint line and the on: block (around line 2–3). No imports or other definitions are needed.
| @@ -1,5 +1,8 @@ | ||
| name: Lint | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Trigger the workflow on push or pull request, | ||
| # but only for the main branch |
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/[email protected] | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, the fix is to add an explicit permissions block that grants only the minimal scopes required to run the workflow. Since this job just checks out the repository and notifies Sentry, it only needs read access to repository contents.
The best minimal change is to add permissions: contents: read at the job level for sentry-release. This documents the requirement and prevents the job from inheriting broader repository/organization defaults. No changes to steps or secrets handling are needed.
Concretely, in .github/workflows/sentry.yml, under jobs: sentry-release: name: Create Sentry Release, insert a permissions: section such as:
jobs:
sentry-release:
name: Create Sentry Release
permissions:
contents: read
runs-on: ubuntu-latestNo additional imports or methods are required, as this is pure workflow configuration.
| @@ -12,6 +12,8 @@ | ||
| jobs: | ||
| sentry-release: | ||
| name: Create Sentry Release | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: |
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/[email protected] |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, to fix log injection when logging user input, you should sanitize the input before logging: for plain-text logs, strip or replace newline and carriage-return characters (and often other control characters) so that a single log call cannot be interpreted as multiple separate log lines. It is also helpful to clearly delimit user input in the log message so that its boundaries are unambiguous.
For this specific code, the minimal, behavior-preserving fix is to avoid logging event.body directly and instead log a sanitized version. We can achieve this by converting event.body to a string (in case it is not already), removing \r and \n characters (and optionally other control chars) using String.prototype.replace with a regular expression, and logging the sanitized value. This change should be applied in hub-search-proxy/handler.js at the console.log on line 53. No new external dependencies are needed; we can rely on built-in JavaScript functionality.
Concretely:
- In
hub-search-proxy/handler.js, replace the existingconsole.log(\Received query: ${event.body}`);` with code that:- Safely stringifies
event.body(e.g.,String(event.body)). - Removes newline and carriage-return characters with
.replace(/[\r\n]/g, ''). - Logs the sanitized result in the same message template.
This preserves the logging purpose (seeing the query body) while preventing a malicious user from injecting extra log entries.
- Safely stringifies
| @@ -50,7 +50,8 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| const sanitizedBody = String(event.body).replace(/[\r\n]/g, ''); | ||
| console.log(`Received query: ${sanitizedBody}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; |
7 participants
Bumps word-wrap from 1.2.3 to 1.2.5.
Release notes
Sourced from word-wrap's releases.
Commits
207044e1.2.59894315revert default indentf64b188run verb to generate README03ea082Merge pull request #42 from jonschlinkert/chore/publish-workflow420dce9Merge pull request #41 from jonschlinkert/fix/CVE-2023-26115-2bfa694eUpdate .github/workflows/publish.ymlace0b3cchore: bump version to 1.2.46fd7275chore: add publish workflow30d6dafchore: fix test655929cchore: remove package-lockDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.