chore(deps): update dependency semantic-release to v17 [security]#602
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency semantic-release to v17 [security]#602renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
82a8e0c to
cc92c74
Compare
cc92c74 to
bf23738
Compare
bf23738 to
546e22a
Compare
546e22a to
a0fa738
Compare
a0fa738 to
81d3ffb
Compare
81d3ffb to
22bd405
Compare
22bd405 to
6d7b2dd
Compare
6d7b2dd to
72d37b1
Compare
72d37b1 to
d3750cc
Compare
d3750cc to
2cd2c66
Compare
2cd2c66 to
a2b20c5
Compare
a2b20c5 to
5b72cdf
Compare
9cb4292 to
8f81790
Compare
8f81790 to
657bad6
Compare
657bad6 to
75b8542
Compare
6e03ccd to
8e2ad03
Compare
8e2ad03 to
96e398c
Compare
a314064 to
cbb6ee3
Compare
8786865 to
d77670e
Compare
3d0e27f to
550f086
Compare
550f086 to
6efdb7e
Compare
6efdb7e to
787f390
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
15.14.0→17.2.3Secret disclosure when containing characters that become URI encoded
CVE-2020-26226 / GHSA-r2j6-p67h-q639
More information
Details
Impact
Secrets that would normally be masked by
semantic-releasecan be accidentally disclosed if they contain characters that become encoded when included in a URL.Patches
Fixed in v17.2.3
Workarounds
Secrets that do not contain characters that become encoded when included in a URL are already masked properly.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
semantic-release/semantic-release (semantic-release)
v17.2.3Compare Source
Bug Fixes
v17.2.2Compare Source
Bug Fixes
v17.2.1Compare Source
Reverts
v17.2.0Compare Source
Features
v17.1.2Compare Source
Bug Fixes
v17.1.1Compare Source
Bug Fixes
v17.1.0Compare Source
Features
v17.0.8Compare Source
Bug Fixes
v17.0.7Compare Source
Bug Fixes
v17.0.6Compare Source
Bug Fixes
v17.0.5Compare Source
Bug Fixes
v17.0.4Compare Source
Bug Fixes
repositoryUrlin logs (55be0ba)v17.0.3Compare Source
Bug Fixes
getGitAuthUrl(e7bede1)v17.0.2Compare Source
Bug Fixes
v17.0.1Compare Source
Bug Fixes
v17.0.0Compare Source
BREAKING CHANGES
v16.0.4Compare Source
Bug Fixes
v16.0.3Compare Source
Bug Fixes
--no-verifywhen testing the Git permissions (b54b20d)v16.0.2Compare Source
Bug Fixes
v16.0.1Compare Source
Bug Fixes
v16.0.0Compare Source
BREAKING CHANGES
v16.0.0@​betausers only:In v16, a JSON object stored in a Git note is used to keep track of the channels on which a version has been released, the
@{channel}suffix is no longer necessary.The tags formatted as v{version}@{channel} will now be ignored. If you have releases using this format you will have to upgrade them:
v{version}@​{channel}{"channels":["channel1","channel2"]}and usingnullfor the default channel (for example.{"channels":[null,"channel1","channel2"]})Require Node.js >= 10.13
Git CLI version 2.7.1 or higher is now required: The
--mergeoption of thegit tagcommand has been added in Git version 2.7.1 and is now used by semantic-releaseRegexp are not supported anymore for property matching in the
releaseRulesoption.Regex are replaced by globs. For example
/core-.*/should be changed to'core-*'.The
branchoption has been removed in favor ofbranchesThe new
branchesoption expect either an Array or a single branch definition. To migrate your configuration:master: nothing to changebranchconfiguration and want to publish only from one branch: replacebranchwithbranches("branch": "my-release-branch"=>"branches": "my-release-branch")Features
addChannelplugins to returnfalsein order to signify no release was done (e1c7269)publishplugins to returnfalsein order to signify no release was done (47484f5)Performance Improvements
git tag --merge <branch>to filter tags present in a branch history (cffe9a8)Bug Fixes
channelto publish success log (5744c5e)ERELEASEBRANCHESerror message (#1188) (37bcc9e)cioption via API and config file (2faff26)getTagHeadonly when necessary (de77a79)successplugin only once for releases added to a channel (9a023b4)addChannelfor 2 merged branches configured with the same channel (4aad9cd)false(751a5f1)getError(f96c660)await(9a1af4d)get-tagsalgorithm (00420a8)branchparameter frompushfunction (968b996)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.