chore(deps): bump axios from 1.13.6 to 1.17.0#116
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Bumps [axios](https://github.com/axios/axios) from 1.13.6 to 1.17.0. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.13.6...v1.17.0) --- updated-dependencies: - dependency-name: axios dependency-version: 1.17.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
alizard0
pushed a commit
that referenced
this pull request
Jun 16, 2026
…redhat-developer#4574) * feat(install-dynamic-plugins): port from Python to TypeScript/Node.js * feat(install-dynamic-plugins): port main's Python script changes into the TS implementation Brings the TS port back in sync with three commits that landed on main while this PR was open: - redhat-developer#4576 (OCI disable pre-merge): pre-compute the set of OCI registries that will be effectively disabled after merging, then filter them out of every plugin list before the merge calls skopeo. Avoids wasted remote fetches for plugins the operator already disabled at a higher level. New helpers in src/merger.ts (preMergeOciDisabledState, filterDisabledOciPlugins) and src/oci-key.ts (tryParseOciRegistryAndPath). loadAllPlugins() in src/index.ts now reads every include file up front so the pre-merge pass can run before mergePlugin() touches the OCI cache. - redhat-developer#4666 (MAX_ENTRY_SIZE bump): default from 20MB to 40MB. - redhat-developer#4655 (EXTRA_CATALOG_INDEX_IMAGES): comma-separated catalog index images, each extracted into <CATALOG_ENTITIES_EXTRACT_DIR>/extra/<name>/ catalog-entities. New helpers in src/catalog-index.ts (extractCatalogIndexLayers refactored out of extractCatalogIndex, extractExtraCatalogIndex, parseExtraCatalogIndexImages, imageRefToSubdirectory). New maybeExtractExtraCatalogIndexes() in src/index.ts wires it into runInstaller after the primary catalog index. Tests: 27 new cases under __tests__/merger-pre-merge.test.ts (15) and __tests__/extra-catalog-index.test.ts (12) covering the level-override matrix, ambiguous-pathless detection, same-level duplicates, invalid OCI strings, extensions/marketplace fallback, missing-entities warning, and the duplicate-subdir overwrite warning ordering. Existing tar-extract.test.ts + types.test.ts updated for the new 40MB default. All 155 vitest cases pass. Bundle rebuilt. * fix(install-dynamic-plugins): inline prototype-pollution guard for CodeQL The shared Set.has() lookup wasn't recognised by CodeQL's js/prototype-polluting-function rule as an exhaustive sanitizer, even though Object.defineProperty already bypasses the __proto__ setter. Replace it with the inlined string-literal pattern CodeQL accepts. Closes CodeQL alert #116 on PR redhat-developer#4574 (safeSet at merger.ts:36). * fix(install-dynamic-plugins): address SonarQube findings on PR redhat-developer#4574 - catalog-index.ts: invert the eq===-1 branch so the positive case comes first (Sonar S3923 'Unexpected negated condition'). - index.ts: drop five redundant type assertions on PluginSpec / Plugin / IncludePluginList — TS already narrows correctly thanks to PluginSpec being a structural subset of Plugin and Array of being assignable to ReadonlyArray. - merger.ts: * Split preMergeOciDisabledState into top-level helpers (processOciEntry, recordEntryState, recordRegistryPath, validateAmbiguousPathless, effectiveRegistryDisabled, computeDisabledRegistries) so the orchestrator stays well under the cognitive-complexity ceiling. * Replace the nested ternary in the explicit-paths sort with String#localeCompare. * Replace 'bucket && bucket.size === 1' with optional-chain 'bucket?.size === 1'. * Drop a stray NUL byte in the entry-key template that crept in via an early Edit and was making the file impossible to diff in a few tools. 155 vitest cases still pass; bundle rebuilt. * fix(install-dynamic-plugins): validate EXTRA_CATALOG_INDEX_IMAGES subdir names Qodo's persistent review flagged that the explicit 'name=<ref>' form of EXTRA_CATALOG_INDEX_IMAGES does not validate 'name', so an operator could accidentally (or maliciously) extract an extra catalog index outside of '<entitiesDir>/extra/' by passing names containing '..' or path separators. The auto-derived form is already safe because imageRefToSubdirectory strips '/', ':', and '@'. Add isSafeSubdirectoryName() that rejects empty names, '.', '..', and any name containing '/' or '\\'. Parsing logs a warning and skips the entry instead of crashing the installer, matching the existing 'empty image reference' handling. 6 new vitest cases cover the rejected forms and document that the check is character-based (so URL-encoded separators like '%2F' are accepted verbatim rather than decoded). Bundle rebuilt (225.6 kB). * refactor(install-dynamic-plugins): apply self-review improvements Targeted cleanups identified in the in-conversation review. No behaviour changes outside of the two defense-in-depth guards listed below. Correctness/security: - installer-npm.ts: validate that the filename emitted by 'npm pack --json' is flat (no '/', no '\\', no leading '..') before joining it to 'destination'. A registry returning '../evil.tgz' would otherwise let extraction escape. - installer-oci.ts: replace 'pkg.split("!")' with an indexOf-based splitOciPackage helper so plugin paths containing a literal '!' are no longer silently truncated. Applied to both the install path and the Always-policy digest comparison. - catalog-index.ts: re-validate 'subdirectory' inside extractExtraCatalogIndex itself instead of trusting all callers to go through parseExtraCatalogIndexImages. Five new vitest cases cover the rejected forms. - index.ts: drop the existsSyncSafe wrapper and use Node's existsSync directly (the wrapper was a literal reimplementation that also conflated 'doesn't exist' with 'no read permission'). - image-cache.ts: surface a typed InstallException with the image ref when 'io.backstage.dynamic-packages' is unparseable, instead of letting JSON.parse crash the install. Maintainability: - types.ts: new effectivePullPolicy() helper centralises the ':latest!' fallback that was duplicated between installer-oci.ts and definitelyNoOp in index.ts. - merger.ts: copyPluginFields now uses a for-of loop with safeSet (same prototype-pollution guard as deepMerge) instead of building an intermediate object via Object.fromEntries. effectiveRegistryDisabled drops the 'as string' cast via destructuring + undefined check. IncludePluginList downgraded from exported to internal. - tar-extract.ts: comment the POSIX assumption around the pluginPathBoundary check; the trailing slash is unambiguous now. - index.ts: destructure process.argv to remove the 'as string' cast. - installer-npm.ts: extract isNpmPackJsonEntry() type guard so the install path stays linear. - concurrency.ts: replace the magic-number worker caps (6/3) with MAX_OCI_WORKERS / MAX_NPM_WORKERS named constants. - catalog-index.ts: simplify isSafeSubdirectoryName (the second clause was unreachable once '/' and '\\' were rejected upfront). 166 vitest cases (was 161; +5 new defense-in-depth tests). Bundle rebuilt (226.0 kB). * refactor(install-dynamic-plugins): polish merger.ts type assertions - Generic 'safeSet<T extends object>' removes the awkward 'dst as unknown as Record<string, unknown>' double-cast in copyPluginFields. The Object.defineProperty signature already accepts any object, so the constraint widening is enough. - Drop the redundant 'as unknown' on parseYaml's return in mergePluginsFromFile — yaml v2's parse() is already typed unknown. No behaviour changes. 166 vitest cases still pass. * ci(install-dynamic-plugins): emit JUnit XML for Codecov test analytics The 'Upload test results to Codecov' step at the monorepo level looks at $RUNNER_TEMP/test-results/ for JUnit reports. Because this PR doesn't touch any yarn workspace, 'yarn run test --affected' skips all workspace tests and the directory ends up empty — codecov[bot] then posts a 'JUnit XML file not found' warning on the PR. Run vitest with the junit reporter so it writes its own report into $RUNNER_TEMP/test-results/install-dynamic-plugins.junit.xml; the existing test-results-action then finds it (alongside any workspace reports) and the warning stops firing. No new upload step needed — test-results-action already searches that directory. Verified locally: 'JUNIT report written to /tmp/.../junit.xml' (166 testcases serialized). * ci(install-dynamic-plugins): run vitest before Codecov test-results upload The previous attempt at producing a JUnit report didn't take effect because the step ordering put it AFTER the 'Upload test results to Codecov' step. The Codecov log confirmed this: 14:33:08 error - No JUnit XML reports found. 14:33:16 JUNIT report written to .../install-dynamic-plugins.junit.xml Move the install-dynamic-plugins test step before the monorepo 'Run tests' so its JUnit report lands in $RUNNER_TEMP/test-results/ in time for the existing upload step to pick it up. The bundle freshness check stays where it was (after the uploads) so it doesn't delay the upload-bearing path further.
Author
|
Looks like axios is up-to-date now, so this is no longer needed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps axios from 1.13.6 to 1.17.0.
Release notes
Sourced from axios's releases.
... (truncated)
Changelog
Sourced from axios's changelog.
... (truncated)
Commits
4306df2chore: add fun 88 sponsorship931cc8fchore(release): prepare release 1.17.0 (#10983)38ba1b3fix(fetch): support basic auth from URL (#10896)32e2515fix: replace ternary side effect in script (#10931)030e722chore(deps): bump axios from 1.15.2 to 1.16.1 in /docs (#10960)ec63164chore: remove openspec (#10958)3dec28ffix(http): preserve TLS options for proxy tunnels (#10957)a2390a5fix: correct isCancel type to narrow to CanceledError<T> (#10952)fa01b92chore(deps-dev): bump tmp from 0.2.5 to 0.2.7 in /docs (#10954)2d2314afix: AxiosHeaderstoJSON()return types (#10956)Install script changes
This version modifies
preparescript that runs during installation. Review the package contents before updating.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.