Bump typescript from 4.5.4 to 4.9.5 in /cer-graphql#386
Bump typescript from 4.5.4 to 4.9.5 in /cer-graphql#386dependabot[bot] wants to merge 2111 commits intomasterfrom
Conversation
Bumps [cypress-commands](https://github.com/Lakitna/cypress-commands) from 1.1.0 to 2.0.1. - [Release notes](https://github.com/Lakitna/cypress-commands/releases) - [Changelog](https://github.com/Lakitna/cypress-commands/blob/develop/CHANGELOG.md) - [Commits](Lakitna/cypress-commands@1.1.0...2.0.1) --- updated-dependencies: - dependency-name: cypress-commands dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
* generated new components * first version of contact card * changed card title color * fixed elevation * first version of org unit card * first version of document card * moved cards module and components * article simplification * changed mouse pointer on card * minor change to article page * Revert "minor change to article page" This reverts commit 4c66bf8. * case-studys page refactor * fixed width cards, minor article change * changed equipment page * changes to events * changed fundings page * changes to service page * changes to software page * changes to subhubs and standard card * set image height * removed app-cards from featured component * removed old cards components * fixed featured layout * better spacing on featured component * fixed lock icon size * fixed article layout * fixed mobile card width * fixed clickable cards * generated new components * first version of contact card * changed card title color * fixed elevation * first version of org unit card * first version of document card * moved cards module and components * article simplification * changed mouse pointer on card * minor change to article page * Revert "minor change to article page" This reverts commit 4c66bf8. * case-studys page refactor * fixed width cards, minor article change * changed equipment page * changes to events * changed fundings page * changes to service page * changes to software page * changes to subhubs and standard card * set image height * removed app-cards from featured component * removed old cards components * fixed featured layout * better spacing on featured component * fixed lock icon size * fixed article layout * fixed mobile card width * fixed clickable cards * generated new components * first version of contact card * changed card title color * fixed elevation * first version of org unit card * first version of document card * moved cards module and components * article simplification * changed mouse pointer on card * minor change to article page * Revert "minor change to article page" This reverts commit 4c66bf8. * case-studys page refactor * fixed width cards, minor article change * changed equipment page * changes to events * changed fundings page * changes to service page * changes to software page * changes to subhubs and standard card * set image height * removed app-cards from featured component * removed old cards components * fixed featured layout * better spacing on featured component * fixed lock icon size * fixed article layout * fixed mobile card width * fixed clickable cards * generated new components * first version of contact card * changed card title color * fixed elevation * first version of org unit card * first version of document card * moved cards module and components * changed mouse pointer on card * minor change to article page * Revert "minor change to article page" This reverts commit 4c66bf8. * fixed width cards, minor article change * fixed clickable cards * minor fixes * article layout fixes * fixes for case studies layout * more layout fixes * fixed unit tests * fix for equipment table * upgraded e2e test with cypress types, fixed e2e tests * fixed inconsistent bottom margin * mat-icon white on subhub child card * added missing case study references * fixed 3 column layout being too narrow * fixed you-might-be-interested-in id * fixed featured layout * fixed missing funding purpose * fixed body media error * fix nulls error on subhub pages * fixed title underline * Revert "fixed title underline" This reverts commit d92ba98. * fixed subhub child card underline Co-authored-by: Rose McColl <rosemccoll@hotmail.com>
…ypress-commands-2.0.1
…search-hub-web/cypress-commands-2.0.1 Bump cypress-commands from 1.1.0 to 2.0.1 in /research-hub-web
* initial commit for content graph * added resolver and adjustments, highlight node on hover * update lockfile version * minor fixes for null checks * added auth guard to graph route * first version of node info box * added node highlighting * improved details list and highlighting * first version of graph legend in drawer * layout fixes * layout improvements * renamed graph-legend to graph-filter * added legend, added dev env * added graph link to footer * fixed capitalisation * some fixes for unit tests * more fixes for tests * exclude GraphFilter test for now * added graph API to CSP headers (dev) * renamed graph-container * refactored graph into component * tidy up field order * changed loading behaviour, removed route resolver * fixed canvas width, colour changes * fixed color legend and search box * minor improvements * many UI improvements, added contentful link to env files * updated test and prod environment files with graph api url * some fixes for unit tests * more fixes for unit tests * minor improvements for node details UI * added graph api to csp headers in cloudfront functions * rebuild package-lock.json * added esbuild dep
* Add token references for CI build * Add missing package * Fix npm shrinkwrap issue * Fix wrong org id * Update readme * Update documentation * Add indentation and minor fixes to README * FIx minor heading issue with readme Co-authored-by: Lukas Trombach <19306765+Trombach@users.noreply.github.com>
Co-authored-by: rosemcc <rosemccoll@hotmail.com> Co-authored-by: Lukas Trombach <19306765+Trombach@users.noreply.github.com>
* chore: version update * CHORE: update versions * HOTFIX * Chore: version changes Co-authored-by: Rose <31844476+rosemcc@users.noreply.github.com> Co-authored-by: rosemcc <rosemccoll@hotmail.com> Co-authored-by: Lukas Trombach <lukas.trombach@auckland.ac.nz> Co-authored-by: Lukas Trombach <19306765+Trombach@users.noreply.github.com> Co-authored-by: etan221 <eric.tan@auckland.ac.nz>
Change feedback button text
* add initial modules and components * update search lambda * update and add new graphQL queries * add capability type to standard card * add components to routes * add capability list * reuse article default banner for capability card for now * add capability display name to pipe * first version of capability page * make tests runnable * add capability page type to search types * add navbar link to subhub * add capability list unit test * make e2e tests runnable * fix unit test * fix unit tests * add capability unit test * decapitalised navbar link * added new card background for capability * add capability e2e tests and fixture * fix capability not showing in search results * fix e2e test * add capability type to content graph * remove navbar link to be added later * fix standard card default image loading * lowercase sign in/out * move support materials to the top * fix unit test * fix navbar e2e test * move contacts to the top * minor fix for standard images * simplify standard card component * add comment explaining image height
update package versions
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.5.4 to 4.9.5. - [Release notes](https://github.com/Microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v4.5.4...v4.9.5) --- updated-dependencies: - dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
lugn621
force-pushed
the
dependabot/npm_and_yarn/cer-graphql/typescript-4.9.5
branch
from
1ee543b to
61a30f3
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 14 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, this issue is fixed by explicitly setting a permissions block for the workflow or for individual jobs so that GITHUB_TOKEN has only the minimal scopes required. For this linting workflow, all steps operate on the checked-out code and do not need to write back to the repository or manage issues/PRs, so granting only contents: read is sufficient.
The best fix without changing functionality is to add a permissions section at the top level of the workflow, right after the name: Lint line (or before jobs:). This will apply to all jobs in the workflow, including run-linters, and ensure that the GITHUB_TOKEN is limited to reading repository contents. No additional imports, actions, or methods are required—this is a purely declarative change to the YAML configuration.
Concretely, in .github/workflows/linting.yml, add:
permissions:
contents: readdirectly under the existing name: Lint line. All other lines remain unchanged.
| @@ -1,4 +1,6 @@ | ||
| name: Lint | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Trigger the workflow on push or pull request, |
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, the problem is fixed by explicitly specifying minimal GITHUB_TOKEN permissions via a permissions: block, either at the workflow root (applies to all jobs) or within the specific job. Since there is only one job here, adding permissions under that job is straightforward and documents what the workflow actually needs.
The safest minimal change without altering existing functionality is to add permissions: contents: read to the sentry-release job. This job uses actions/checkout (which works with contents: read) and getsentry/action-release, which talks to Sentry using SENTRY_AUTH_TOKEN and does not need to write back to the GitHub repository. No other scopes (like issues, pull-requests, or packages) appear necessary based on the shown steps.
Concretely:
- Edit
.github/workflows/sentry.yml. - Under
jobs: sentry-release: name: Create Sentry Release, insert apermissions:block withcontents: readat the same indentation level asruns-on. - No imports or external dependencies are needed; this is pure workflow configuration.
| @@ -12,6 +12,8 @@ | ||
| jobs: | ||
| sentry-release: | ||
| name: Create Sentry Release | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: |
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, to fix log injection when logging user-provided data to plain-text logs, remove or neutralize control characters (especially \n and \r) from the user-controlled portion before logging, and keep the overall log format unchanged. For HTML logs, you would encode HTML entities instead; here the context is plain text (console.log), so we should strip line breaks.
The best targeted fix here is to sanitize event.body right before it is interpolated into the log message. We can introduce a local variable, e.g. sanitizedBody, that is derived from event.body by converting it to a string (defensive) and removing \r and \n characters using String.prototype.replace with a regular expression. Then we log that sanitized value instead of the raw event.body. This avoids changing how the rest of the function works and preserves existing functionality, since parsing still uses the original event.body. Concretely, in hub-search-proxy/handler.js, around line 53, we should replace the single console.log line with two lines: one computing sanitizedBody and one logging it. No new imports or external libraries are needed.
| @@ -50,7 +50,8 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| const sanitizedBody = String(event.body).replace(/[\r\n]/g, ''); | ||
| console.log(`Received query: ${sanitizedBody}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; |
7 participants
Bumps typescript from 4.5.4 to 4.9.5.
Release notes
Sourced from typescript's releases.
... (truncated)
Commits
ccf3d3cBump version to '4.9.5' and LKG.69e88efPort ignore deprecations to 4.9 (#52419)daf4e81Port timestamp fix to 4.9 (#52426)e286821Bump version to 4.9.4 and LKG.eb5419fCherry-pick #51704 to release 4.9 (#51712)b4d382bCherry-pick changes for narrowing to tagged literal types.e7a02f4Port of #51626 and #51689 to release-4.9 (#51627)1727912Cherry-pick fix aroundvisitEachChildto release-4.9. (#51544)93bd577Bump version to 4.9.3 and LKG.107f832Update LKG.You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)