Bump cypress from 7.7.0 to 13.6.2 in /research-hub-web#449
Bump cypress from 7.7.0 to 13.6.2 in /research-hub-web#449dependabot[bot] wants to merge 2154 commits intomasterfrom
Conversation
Login menu update
Fix failed start up due to Contentful type changes
…search-stage-url RSM-3036: stage: replace search with url
…rsion Update linting.yml
Feature/rsm 3250 search logic
Bumps [cypress](https://github.com/cypress-io/cypress) from 7.7.0 to 13.6.2. - [Release notes](https://github.com/cypress-io/cypress/releases) - [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md) - [Commits](cypress-io/cypress@v7.7.0...v13.6.2) --- updated-dependencies: - dependency-name: cypress dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
|
Dependabot tried to add |
lugn621
force-pushed
the
dependabot/npm_and_yarn/research-hub-web/cypress-13.6.2
branch
from
ed4b23b to
bd8e842
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 18 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci --force | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, the fix is to explicitly declare a minimal permissions block for the workflow or specific job so that the GITHUB_TOKEN has only the scopes required. For a lint-only workflow that just checks out code and runs npm/ng commands, repository contents need to be readable but no write access is required.
The best fix here is to add a workflow-level permissions section just below the name: Lint line, setting contents: read. This will apply to all jobs in this workflow (currently only run-linters) unless they override it, and it does not alter existing job behavior because the job already only reads from the repo. No additional imports or tools are needed; this is purely a YAML configuration change in .github/workflows/linting.yml.
Concretely:
- In
.github/workflows/linting.yml, insert:
permissions:
contents: read- Place it after line 1 (
name: Lint) and before theon:block, which is the standard location for workflow-level permissions. - No other lines or files need to be changed.
| @@ -1,4 +1,6 @@ | ||
| name: Lint | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # Trigger the workflow on push or pull request, |
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To fix the problem, explicitly declare minimal permissions for the workflow/job so that the GITHUB_TOKEN has only the access it needs. In this case, the job just checks out the repository and sends release info to Sentry; that only requires read access to repository contents.
The best fix without changing functionality is to add a permissions block with contents: read. This can be added either at the workflow root (affecting all jobs) or under the sentry-release job. Since there is only one job shown, adding it at the root level (right after name: Sentry Release) is clear and future‑proof. No additional imports or methods are needed—this is purely a YAML configuration change inside .github/workflows/sentry.yml, near the top of the file.
| @@ -1,4 +1,6 @@ | ||
| name: Sentry Release | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/action-release@v1.1.6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, to fix log injection when logging user-controlled data, you should sanitize the data before logging by removing or normalizing line breaks and other control characters, and ensure it is clearly delimited in the log entry. For plain-text logs, a minimal and effective mitigation is to strip \r and \n characters from the user input before interpolation.
For this specific code, the best fix with minimal functional impact is to introduce a sanitized version of event.body just for logging, while leaving the original event.body intact for parsing and processing. We can do this by creating a new variable (e.g., sanitizedBodyForLog) that either (a) falls back to an empty string if event.body is not a string, and (b) strips \r and \n characters from it using String.prototype.replace with a regular expression. Then use this sanitized variable in the console.log call on line 53. This avoids changing how the request is handled and parsed while ensuring that log output cannot be split by attacker-controlled newlines.
Concretely:
- In
hub-search-proxy/handler.js, withinmodule.exports.search, replace the single log lineconsole.log(\Received query: ${event.body}`);` with a small snippet:- Define
let sanitizedBodyForLog = ''; - If
typeof event.body === 'string', setsanitizedBodyForLog = event.body.replace(/\r|\n/g, ''); - Log
sanitizedBodyForLoginstead ofevent.body.
No new imports or external libraries are required; we rely only on built-in string methods.
- Define
| @@ -50,7 +50,11 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| let sanitizedBodyForLog = ''; | ||
| if (typeof event.body === 'string') { | ||
| sanitizedBodyForLog = event.body.replace(/\r|\n/g, ''); | ||
| } | ||
| console.log(`Received query: ${sanitizedBodyForLog}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; |
7 participants
Bumps cypress from 7.7.0 to 13.6.2.
Release notes
Sourced from cypress's releases.
... (truncated)
Commits
ce8ee60chore: release 13.6.2 (#28589)77d661bchore: adds SKIP_RELEASE_CHANGELOG_VALIDATION_FOR_BRANCHES to verify-mocha-re...fd02263chore: upgrade nvm on windows so we can install node 20 in kitchensink binary...d6f356fchore: update changelog to fix release readiness check (#28551)3eece90chore: Revert "chore: moves fix annotation to dependency update section" (#28...38049f2misc: moves fix annotation to dependency update section (#28549)9c46519chore: increases windows resourcing (#28494)fa971f1perf: improve performance when finding unique selectors for Test Replay (#28536)17eea15docs: Add more descriptive changelog entry since this bug is fixed. [skip ci]...3725158dependency: Bump ts-node to 10.9.2 (#28528)Maintainer changes
This version was pushed to npm by cypress-npm-publisher, a new releaser for cypress since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)