Merged
Conversation
Collaborator
marcusmai-telia
commented
Apr 8, 2026
marcusmai-telia
commented
- chore: add TerryHowe to owners and code owners (chore: add TerryHowe to owners and code owners oras-project/setup-oras#152)
- chore(deps): Bump typescript from 5.9.3 to 6.0.2 (chore(deps): Bump typescript from 5.9.3 to 6.0.2 oras-project/setup-oras#151)
- chore(deps): Bump @types/node from 25.0.3 to 25.5.0 (chore(deps): Bump @types/node from 25.0.3 to 25.5.0 oras-project/setup-oras#149)
- Add version 1.3.1 with checksums from … (Add version 1.3.1 with checksums from … oras-project/setup-oras#150)
- feat: migrate action runtime from node20 to node24 (feat: migrate action runtime from node20 to node24 oras-project/setup-oras#153)
- fix: pin undici to >=6.24.1 to address CVEs (fix: pin undici to >=6.24.1 to address CVEs oras-project/setup-oras#157)
- chore(deps): Bump @types/node from 24.12.0 to 25.5.2 (chore(deps): Bump @types/node from 24.12.0 to 25.5.2 oras-project/setup-oras#158)
- chore(deps): bump @actions/core to 3.x and @actions/tool-cache to 4.x (chore(deps): bump @actions/core to 3.x and @actions/tool-cache to 4.x oras-project/setup-oras#159)
- chore: release v2.0.0 (chore: release v2.0.0 oras-project/setup-oras#160)
## Summary - Add @TerryHowe to OWNERS.md as a project owner - Add @TerryHowe to CODEOWNERS for code review assignments Signed-off-by: Terry Howe <thowe@nvidia.com>
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.9.3 to 6.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/microsoft/TypeScript/releases">typescript's releases</a>.</em></p> <blockquote> <h2>TypeScript 6.0</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-6-0/">release announcement blog post</a>.</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+6.0.0%22">fixed issues query for TypeScript 6.0.0 (Beta)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+6.0.1%22">fixed issues query for TypeScript 6.0.1 (RC)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+6.0.2%22">fixed issues query for TypeScript 6.0.2 (Stable)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> </ul> <h2>TypeScript 6.0 Beta</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-6-0-beta/">release announcement</a>.</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+6.0.0%22+is%3Aclosed+">fixed issues query for Typescript 6.0.0 (Beta)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/microsoft/TypeScript/commit/607a22a90d1a5a1b507ce01bb8cd7ec020f954e7"><code>607a22a</code></a> Bump version to 6.0.2 and LKG</li> <li><a href="https://github.com/microsoft/TypeScript/commit/9e72ab71b575e26795d0d9eac3d2d9957beed17c"><code>9e72ab7</code></a> 🤖 Pick PR <a href="https://redirect.github.com/microsoft/TypeScript/issues/63239">#63239</a> (Fix missing lib files in reused pro...) into release-6.0 (#...</li> <li><a href="https://github.com/microsoft/TypeScript/commit/35ff23d4b0cc715691323ebe54f523c16fe6e3a5"><code>35ff23d</code></a> 🤖 Pick PR <a href="https://redirect.github.com/microsoft/TypeScript/issues/63163">#63163</a> (Port anyFunctionType subtype fix an...) into release-6.0 (#...</li> <li><a href="https://github.com/microsoft/TypeScript/commit/e175b69138038953d4e85bf6529afe88d56d8fbe"><code>e175b69</code></a> Bump version to 6.0.1-rc and LKG</li> <li><a href="https://github.com/microsoft/TypeScript/commit/af4caac0e91e838c46b3fdc1c9afacad68800f89"><code>af4caac</code></a> Update LKG</li> <li><a href="https://github.com/microsoft/TypeScript/commit/8efd7e8544d8b35c9b33bca44a3124aa2613bf09"><code>8efd7e8</code></a> Merge remote-tracking branch 'origin/main' into release-6.0</li> <li><a href="https://github.com/microsoft/TypeScript/commit/206ed1a00ffde637d821bbb3172d1488e3d949e8"><code>206ed1a</code></a> Deprecate assert in import() (<a href="https://redirect.github.com/microsoft/TypeScript/issues/63172">#63172</a>)</li> <li><a href="https://github.com/microsoft/TypeScript/commit/e688ac8bc3cbb698c4341ee06401bd6beeb1c4ba"><code>e688ac8</code></a> Update dependencies (<a href="https://redirect.github.com/microsoft/TypeScript/issues/63156">#63156</a>)</li> <li><a href="https://github.com/microsoft/TypeScript/commit/29b300deb56c775f19c2f0528012896e4d1db3e0"><code>29b300d</code></a> Bump the github-actions group across 1 directory with 2 updates (<a href="https://redirect.github.com/microsoft/TypeScript/issues/63205">#63205</a>)</li> <li><a href="https://github.com/microsoft/TypeScript/commit/0c2c7a358297d66df690230deaed8c98e7d77c04"><code>0c2c7a3</code></a> DOM update (<a href="https://redirect.github.com/microsoft/TypeScript/issues/63183">#63183</a>)</li> <li>Additional commits viewable in <a href="https://github.com/microsoft/TypeScript/compare/v5.9.3...v6.0.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Terry Howe <thowe@nvidia.com>
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 25.0.3 to 25.5.0. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Terry Howe <thowe@nvidia.com>
checksums source: https://github.com/oras-project/oras/releases/download/v1.3.1/oras_1.3.1_checksums.txt. Modified files similar to commit oras-project@22ce207 (then for v1.3.0), but now for 1.3.1. The long single line JSON in index.js basically the same as releases.json, it has the 1.3.1 entries appended and JSON compressed. setup-oras still lacked the new version 1.3.1, which fixed critical vulnerabilities in the Go language (CVE-2025-68121 and other, less critical). --------- Signed-off-by: Bastian Birke <bastian.birke@vidispine.com> Co-authored-by: Terry Howe <thowe@nvidia.com>
Migrates the action runtime from node20 to node24, based on the work by @cvs79 in oras-project#146 with additional fixes for the check-dist build failure. Changes from oras-project#146: - action.yml: node20 -> node24 - check-dist.yml: Node 16.x -> 24.x - Bump @actions/core and @actions/tool-cache - Rebuild dist/ Additional fixes: - Pin @types/node to ^24.0.0 (was ^25.5.0, which targets Node 25 and breaks TypeScript compilation) - Add "types": ["node"] to tsconfig.json (required by TypeScript 6) Closes oras-project#145 --------- Signed-off-by: Chris van Sluijsveld <cvs79@msn.com> Signed-off-by: Terry Howe <thowe@nvidia.com> Signed-off-by: Dylan M. Taylor <dylan@dylanmtaylor.com> Co-authored-by: Chris van Sluijsveld <cvs79@msn.com> Co-authored-by: Terry Howe <thowe@nvidia.com> Co-authored-by: Terry Howe <terrylhowe@gmail.com>
Add overrides to force undici>=6.24.1, patching: - GHSA-f269-vfmq-vjvj: 64-bit length overflow crashes WebSocket client - GHSA-2mjp-6q6p-2qxm: HTTP Request/Response Smuggling - GHSA-vrm6-8vpv-qv8q: Unbounded memory in WebSocket permessage-deflate - GHSA-v9p9-hfj2-hcw8: Unhandled exception in WebSocket client - GHSA-4992-7rv2-5pvq: CRLF Injection via upgrade option Rebuild dist/ with updated dependency. Signed-off-by: Terry Howe <terrylhowe@gmail.com> Co-authored-by: Terry Howe <terrylhowe@gmail.com>
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.12.0 to 25.5.2. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…oras-project#159) ## Summary Bumps the GitHub Actions toolkit to current major versions, replacing the two dependabot PRs that fail \`check-dist\`: - Closes oras-project#137 (\`@actions/tool-cache\` 3.0.1 → 4.0.0) - Closes oras-project#138 (\`@actions/core\` 2.0.3 → 3.0.0) Both 3.x (\`@actions/core\`) and 4.x (\`@actions/tool-cache\`) are now ESM-only packages. \`@vercel/ncc\` (webpack-based) cannot bundle ESM-only packages in CJS mode, so this PR also replaces \`ncc\` with \`esbuild\` as the bundler. \`esbuild\` handles ESM→CJS bundling natively and requires no changes to the TypeScript source. ## Changes - \`package.json\`: bump \`@actions/core\` \`^2.0.3\` → \`^3.0.0\`, \`@actions/tool-cache\` \`^3.0.1\` → \`^4.0.0\`; replace \`@vercel/ncc\` with \`esbuild ^0.28.0\`; update build script - \`package-lock.json\`: updated resolved versions - \`dist/index.js\`: rebuilt with \`esbuild\` and updated dependencies ## Test plan - [x] \`npm run build\` succeeds locally - [x] \`npm audit\` reports 0 vulnerabilities - [ ] CI: \`check-dist\` passes - [ ] CI: test workflow passes on ubuntu/macos/windows --------- Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Bump \`package.json\` version to \`2.0.0\` in preparation for the v2.0.0 release. ## What's in v2.0.0 - Bump \`@actions/core\` from \`^2.0.3\` to \`^3.0.0\` (oras-project#138) - Bump \`@actions/tool-cache\` from \`^3.0.1\` to \`^4.0.0\` (oras-project#137) - Replace \`@vercel/ncc\` with \`esbuild\` to support ESM-only toolkit packages (oras-project#159) - Add \`scripts/generate-licenses.js\` to regenerate \`dist/licenses.txt\` from bundled packages on every build (oras-project#159) - Pin \`undici\` to \`>=6.24.1\` to address 5 CVEs (oras-project#155) Signed-off-by: Terry Howe <terrylhowe@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.