Bump @babel/traverse from 7.16.8 to 7.23.2 in /cer-graphql#412
Bump @babel/traverse from 7.16.8 to 7.23.2 in /cer-graphql#412dependabot[bot] wants to merge 2148 commits intomasterfrom
Conversation
Expandable page part
Change activities label to research stage
Bugfix/update csp
Fix failed start up due to Contentful type changes
dependabot
bot
added
the
dependencies
…search-stage-url RSM-3036: stage: replace search with url
…rsion Update linting.yml
Feature/rsm 3250 search logic
Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.16.8 to 7.23.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse) --- updated-dependencies: - dependency-name: "@babel/traverse" dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/cer-graphql/babel/traverse-7.23.2
branch
from
c8910de to
59a5575
Compare
lugn621
force-pushed
the
dependabot/npm_and_yarn/cer-graphql/babel/traverse-7.23.2
branch
from
59a5575 to
d9b9c6c
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 18 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci --force | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, this problem is fixed by adding an explicit permissions block that restricts the GITHUB_TOKEN to the least privileges required. For a lint-only workflow that just checks out code and installs dependencies, contents: read is sufficient at the workflow or job level.
The best fix here is to define a workflow-level permissions block right after the name: Lint line so it applies to all jobs (currently just run-linters). The block should set contents: read, which is the minimal recommended starting point and is enough for actions/checkout and reading the repo content; npm install and ng lint do not need any GitHub write permissions. No additional methods, imports, or other definitions are required—this is a pure YAML configuration change within .github/workflows/linting.yml.
Specifically, in .github/workflows/linting.yml, insert:
permissions:
contents: readbetween line 1 (name: Lint) and line 3 (on:), adjusting line numbers accordingly. No other changes are needed.
| @@ -1,5 +1,8 @@ | ||
| name: Lint | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Trigger the workflow on push or pull request, | ||
| # but only for the main branch |
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, to fix this issue you add a permissions key either at the root of the workflow (applies to all jobs) or within the specific job block, and set the least privileges needed (often contents: read for simple CI tasks). Since this workflow only checks out code and calls Sentry using a secret token, it does not need to write to the GitHub repository, so contents: read is sufficient.
The best fix here without changing existing functionality is to add a permissions block at the workflow root, just under the name: (or at least before jobs:), setting contents: read. This restricts the GITHUB_TOKEN to read-only access to repository contents while leaving all existing steps intact. No imports or additional methods are needed; this is a pure YAML configuration change in .github/workflows/sentry.yml around the top of the file, after line 1 and before line 3.
| @@ -1,4 +1,6 @@ | ||
| name: Sentry Release | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, to fix this sort of problem, any user-controlled input written to logs should be sanitized before logging. For plain-text logs, removing line breaks (\n, \r) and optionally other control characters is usually sufficient to prevent log entry spoofing. It also helps to clearly delimit or label user-provided values in the log message.
For this specific case, the best fix with minimal behavior change is to sanitize event.body just for logging, without altering the actual request processing. We can introduce a local sanitizedBody variable, derived from event.body, where we strip \n and \r (and optionally other control characters) using String.prototype.replace. We will only use sanitizedBody in the console.log call; the existing parsing logic JSON.parse(event.body) remains unchanged. This keeps application behavior identical while making logs safe.
Concretely, in hub-search-proxy/handler.js within module.exports.search, around line 53:
- Replace
console.log(\Received query: ${event.body}`);` with:- A
sanitizedBodyvariable that coercesevent.bodyto string and removes\r/\n. - A new log statement using
sanitizedBody.
No new imports or external dependencies are required.
- A
| @@ -50,10 +50,10 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| const sanitizedBody = String(event.body).replace(/[\r\n]/g, ''); | ||
| console.log(`Received query: ${sanitizedBody}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; | ||
| let from = 0; | ||
| let queryFilters = {}; | ||
| let queryFiltersCount = 0; |
7 participants
Bumps @babel/traverse from 7.16.8 to 7.23.2.
Release notes
Sourced from
@babel/traverse's releases.... (truncated)
Changelog
Sourced from
@babel/traverse's changelog.... (truncated)
Commits
b4b9942v7.23.2b13376bOnly evaluate own String/Number/Math methods (#16033)ca58ec1v7.23.00f333daAddcreateImportExpressionsparser option (#15682)3744545Fix lintingc7e6806Addt.buildUndefinedNode(#15893)38ee8b4Expand evaluation of global built-ins in@babel/traverse(#15797)9f3dfd9v7.22.203ed28b2Fully support||and&&inpluginToggleBooleanFlag(#15961)77b0d73v7.22.19Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.