Bump crypto-js from 4.1.1 to 4.2.0 in /research-hub-web#415
Bump crypto-js from 4.1.1 to 4.2.0 in /research-hub-web#415dependabot[bot] wants to merge 2148 commits intomasterfrom
Conversation
Expandable page part
Add capabilities navbar link
Change activities label to research stage
Bugfix/update csp
Fix failed start up due to Contentful type changes
dependabot
bot
added
the
dependencies
|
Dependabot tried to add |
…search-stage-url RSM-3036: stage: replace search with url
…rsion Update linting.yml
Feature/rsm 3250 search logic
Bumps [crypto-js](https://github.com/brix/crypto-js) from 4.1.1 to 4.2.0. - [Commits](brix/crypto-js@4.1.1...4.2.0) --- updated-dependencies: - dependency-name: crypto-js dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/research-hub-web/crypto-js-4.2.0
branch
from
30ced6e to
94ac4e2
Compare
lugn621
force-pushed
the
dependabot/npm_and_yarn/research-hub-web/crypto-js-4.2.0
branch
from
94ac4e2 to
e601f7e
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 18 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci --force | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, the problem is fixed by explicitly setting permissions for the GITHUB_TOKEN either at the workflow root (applies to all jobs) or inside each job, granting only the minimal required scopes, typically contents: read for a pure linting job.
For this specific workflow, the simplest, least intrusive fix is to add a permissions: block at the top level (next to name: and on:), setting contents: read. This documents and enforces that the workflow only needs read access to repository contents, matching its actual behavior (checkout and lint) without changing existing functionality. No imports or external methods are involved because this is purely a YAML configuration change.
Concretely, in .github/workflows/linting.yml, insert:
permissions:
contents: readbetween the name: Lint line and the on: block. No other changes are needed.
| @@ -1,5 +1,8 @@ | ||
| name: Lint | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Trigger the workflow on push or pull request, | ||
| # but only for the main branch |
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, the problem is fixed by adding an explicit permissions block to the workflow or to the specific job, restricting the GITHUB_TOKEN to the minimal required scopes (typically contents: read for workflows that only need to read the repository). This both documents the intended privileges and prevents accidental privilege escalation if org/repo defaults change.
For this specific workflow, the sentry-release job checks out the repository and invokes getsentry/action-release with Sentry credentials. From the snippet, it does not modify GitHub issues, pull requests, or releases directly. The minimal safe permissions are therefore contents: read. The cleanest fix is to add a permissions: block under the sentry-release job definition (after runs-on: ubuntu-latest), setting contents: read. This will not change existing functionality, because read access to repository contents is already implied by current defaults and needed for actions/checkout@v2 to work.
No additional methods, imports, or definitions are necessary—only the new YAML keys within .github/workflows/sentry.yml.
| @@ -13,6 +13,8 @@ | ||
| sentry-release: | ||
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Check out Git repository |
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, the fix is to sanitize untrusted data (here, event.body) before including it in log messages. For text logs, the main concern is line breaks and other control characters that can alter the structure of the log output. We should therefore create a sanitized version of event.body with \r and \n removed (and optionally other control characters), and log that instead. This preserves the content for debugging while preventing attackers from injecting extra log lines.
The best minimal fix in this file is to introduce a sanitized local variable right before logging, using String.prototype.replace with a regular expression that strips carriage returns and newlines from event.body, and then use that variable in the console.log call. For example, on line 53 we can change from logging event.body directly to: compute const sanitizedBody = String(event.body).replace(/[\r\n]/g, ''); and log sanitizedBody. Using String(...) guarantees that even if event.body is not a string, the code won’t throw. No new imports are needed; this uses only built-in JavaScript functionality.
Concretely, in hub-search-proxy/handler.js within the module.exports.search function, we will replace the existing console.log line with two lines: one to sanitize the body and one to log the sanitized value. All other behavior in the function remains unchanged.
| @@ -50,7 +50,8 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| const sanitizedBody = String(event.body).replace(/[\r\n]/g, ''); | ||
| console.log(`Received query: ${sanitizedBody}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; |
7 participants
Bumps crypto-js from 4.1.1 to 4.2.0.
Commits
808f499Merge branch 'release/4.2.0'd5af3aeUpdate release notes.9496e07Bump version.421dd53Change default hash algorithm and iteration's for PBKDF2 to prevent weak secu...d1f4f4dUpdate grunt.c755289Discontinued1da3dabDiscontinued4dcaa7aMerge pull request #380 from Alanscut/dev762feb2chore: rename BF to Blowfishfb81418feat: blowfish supportDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.