Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auto Sync] Sync the code from branch main to branch develop after release 1.2.13 #168

Merged
merged 2 commits into from
Feb 23, 2025
Merged

[Auto Sync] Sync the code from branch main to branch develop after release 1.2.13 #168

merged 2 commits into from
Feb 23, 2025

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Dec 3, 2024

Sync the code from branch main to branch develop after release 1.2.13

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 20, 2025
View reviewed changes
.github/workflows/pr-check.yml Outdated
Comment on lines 9 to 29
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [20.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/

steps:
- uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
cache-dependency-path: './common/config/rush/pnpm-lock.yaml'

- uses: xile611/pr-type-check@main
with:
pull_request_body: |
${{ github.event.pull_request.body }}
pull_request_head: ${{ github.event.pull_request.head.ref }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions Job or Workflow does not set permissions
.github/workflows/pr-check.yml Outdated
cache: 'npm'
cache-dependency-path: './common/config/rush/pnpm-lock.yaml'

- uses: xile611/pr-type-check@main

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Check of pull request' step
Uses Step
Loading
uses 'xile611/pr-type-check' with ref 'main', not a pinned commit hash
.github/workflows/pre-release.yml Outdated

- name: Parse semver version from branch name
id: semver_parser
uses: xile611/read-package-version-action@main

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Pre-release CI' step
Uses Step: semver_parser
Loading
uses 'xile611/read-package-version-action' with ref 'main', not a pinned commit hash
.github/workflows/pre-release.yml Outdated

- name: Get npm version
id: package-version
uses: xile611/read-package-version-action@main

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Pre-release CI' step
Uses Step: package-version
Loading
uses 'xile611/read-package-version-action' with ref 'main', not a pinned commit hash
.github/workflows/pre-release.yml Outdated
path: packages/vmind

- name: Commit & Push changes
uses: actions-js/push@master

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Pre-release CI' step
Uses Step
Loading
uses 'actions-js/push' with ref 'master', not a pinned commit hash
.github/workflows/release.yml Outdated

- name: Create Release for Tag
id: release_tag
uses: ncipollo/[email protected]

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Release CI' step
Uses Step: release_tag
Loading
uses 'ncipollo/release-action' with ref 'v1.12.0', not a pinned commit hash
.github/workflows/release.yml Outdated
draft: true #

- name: Create Pull Request
uses: dustinirving/[email protected]

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Release CI' step
Uses Step
Loading
uses 'dustinirving/create-pr' with ref 'v1.0.2', not a pinned commit hash
.github/workflows/sync-main-to-develop.yml Outdated

- name: Get version
id: package-version
uses: xile611/read-package-version-action@main

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Sync main to develop after release' step
Uses Step: package-version
Loading
uses 'xile611/read-package-version-action' with ref 'main', not a pinned commit hash
.github/workflows/sync-main-to-develop.yml Outdated
git push origin sync/main-${{ steps.package-version.outputs.current_version }}

- name: Create Pull Request
uses: dustinirving/[email protected]

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Sync main to develop after release' step
Uses Step
Loading
uses 'dustinirving/create-pr' with ref 'v1.0.2', not a pinned commit hash
.github/workflows/unit-test.yml Outdated
Comment on lines 14 to 37
runs-on: macOS-12

strategy:
matrix:
node-version: [18.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/

steps:
- uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
cache-dependency-path: './common/config/rush/pnpm-lock.yaml'

# Install rush
- name: Install rush
run: node common/scripts/install-run-rush.js install --bypass-policy

- name: Compile
run: node common/scripts/install-run-rush.js compile --only tag:package
- name: Test
run: node common/scripts/install-run-rush.js test --only tag:package

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions Job or Workflow does not set permissions
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 20, 2025
View reviewed changes
common/autoinstallers/lint/change-all.ts Outdated
Comment on lines 34 to 36
const result = spawnSync('sh', ['-c', `echo ${message} | ${commitLintBinPath} --config ${commitLineConfigPath}`], {
stdio: 'inherit'
});

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we should avoid constructing the shell command as a single string and instead pass the command and its arguments separately to spawnSync. This approach prevents the shell from interpreting special characters in the arguments, thus mitigating the risk of shell injection.

We will:

  1. Replace the dynamic shell command construction with separate command and arguments.
  2. Use spawnSync without the -c option to avoid shell interpretation.
Suggested changeset 1
common/autoinstallers/lint/change-all.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/common/autoinstallers/lint/change-all.ts b/common/autoinstallers/lint/change-all.ts
--- a/common/autoinstallers/lint/change-all.ts
+++ b/common/autoinstallers/lint/change-all.ts
@@ -33,3 +33,4 @@
   } else {
-    const result = spawnSync('sh', ['-c', `echo ${message} | ${commitLintBinPath} --config ${commitLineConfigPath}`], {
+    const result = spawnSync(commitLintBinPath, ['--config', commitLineConfigPath], {
+      input: message,
       stdio: 'inherit'
@@ -49,5 +50,4 @@
 
-  spawnSync('sh', ['-c', `rush change --bulk --bump-type '${bumpType}' --message '${message}'`], {
-    stdio: 'inherit',
-    shell: false
+  spawnSync('rush', ['change', '--bulk', '--bump-type', bumpType, '--message', message], {
+    stdio: 'inherit'
   });
@@ -55,10 +55,8 @@
   if (!notCommit) {
-    spawnSync('sh', ['-c', 'git add --all'], {
-      stdio: 'inherit',
-      shell: false
+    spawnSync('git', ['add', '--all'], {
+      stdio: 'inherit'
     });
 
-    spawnSync('sh', ['-c', `git commit -m 'docs: update changlog of rush'`], {
-      stdio: 'inherit',
-      shell: false
+    spawnSync('git', ['commit', '-m', 'docs: update changlog of rush'], {
+      stdio: 'inherit'
     });
EOF
@@ -33,3 +33,4 @@
} else {
const result = spawnSync('sh', ['-c', `echo ${message} | ${commitLintBinPath} --config ${commitLineConfigPath}`], {
const result = spawnSync(commitLintBinPath, ['--config', commitLineConfigPath], {
input: message,
stdio: 'inherit'
@@ -49,5 +50,4 @@

spawnSync('sh', ['-c', `rush change --bulk --bump-type '${bumpType}' --message '${message}'`], {
stdio: 'inherit',
shell: false
spawnSync('rush', ['change', '--bulk', '--bump-type', bumpType, '--message', message], {
stdio: 'inherit'
});
@@ -55,10 +55,8 @@
if (!notCommit) {
spawnSync('sh', ['-c', 'git add --all'], {
stdio: 'inherit',
shell: false
spawnSync('git', ['add', '--all'], {
stdio: 'inherit'
});

spawnSync('sh', ['-c', `git commit -m 'docs: update changlog of rush'`], {
stdio: 'inherit',
shell: false
spawnSync('git', ['commit', '-m', 'docs: update changlog of rush'], {
stdio: 'inherit'
});
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
common/autoinstallers/lint/commit-lint.js Outdated
Comment on lines 14 to 20
const result = child_process.spawnSync(
"sh",
["-c", `${commitlintBinPath} --config ${configPath} --cwd ${path.dirname(gitPath)} --edit`],
{
stdio: "inherit",
},
);

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we should avoid passing the entire command string to the shell. Instead, we can use child_process.spawnSync with the command and arguments provided separately. This way, the shell will not interpret any special characters in the paths.

  • Replace the dynamic command string with an array of arguments.
  • Use child_process.spawnSync without the sh -c option to avoid shell interpretation.
Suggested changeset 1
common/autoinstallers/lint/commit-lint.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/common/autoinstallers/lint/commit-lint.js b/common/autoinstallers/lint/commit-lint.js
--- a/common/autoinstallers/lint/commit-lint.js
+++ b/common/autoinstallers/lint/commit-lint.js
@@ -14,4 +14,4 @@
 const result = child_process.spawnSync(
-  "sh",
-  ["-c", `${commitlintBinPath} --config ${configPath} --cwd ${path.dirname(gitPath)} --edit`],
+  commitlintBinPath,
+  ["--config", configPath, "--cwd", path.dirname(gitPath), "--edit"],
   {
EOF
@@ -14,4 +14,4 @@
const result = child_process.spawnSync(
"sh",
["-c", `${commitlintBinPath} --config ${configPath} --cwd ${path.dirname(gitPath)} --edit`],
commitlintBinPath,
["--config", configPath, "--cwd", path.dirname(gitPath), "--edit"],
{
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
common/scripts/sort_deps.js Outdated
Comment on lines 93 to 96
spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
stdio: 'inherit',
shell: false,
})

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we should avoid constructing the shell command dynamically with user-controlled input. Instead, we can pass the arguments to the command separately to ensure they are not interpreted by the shell. This can be achieved by using spawnSync without the -c option and passing the arguments as an array.

Suggested changeset 1
common/scripts/sort_deps.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/common/scripts/sort_deps.js b/common/scripts/sort_deps.js
--- a/common/scripts/sort_deps.js
+++ b/common/scripts/sort_deps.js
@@ -92,5 +92,4 @@
 
-    spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
+    spawnSync('prettier', ['-w', pkgJsonPath], {
       stdio: 'inherit',
-      shell: false,
     })
@@ -106,5 +105,4 @@
 
-      spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
+      spawnSync('prettier', ['-w', pkgJsonPath], {
         stdio: 'inherit',
-        shell: false,
       }) 
EOF
@@ -92,5 +92,4 @@

spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
spawnSync('prettier', ['-w', pkgJsonPath], {
stdio: 'inherit',
shell: false,
})
@@ -106,5 +105,4 @@

spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
spawnSync('prettier', ['-w', pkgJsonPath], {
stdio: 'inherit',
shell: false,
})
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
common/scripts/sort_deps.js Outdated
Comment on lines 107 to 110
spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
stdio: 'inherit',
shell: false,
})

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we should avoid constructing the shell command as a single string that the shell interprets. Instead, we should use spawnSync with separate arguments to ensure that the file path is not interpreted by the shell. This can be achieved by passing the command and its arguments as separate elements in an array.

Suggested changeset 1
common/scripts/sort_deps.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/common/scripts/sort_deps.js b/common/scripts/sort_deps.js
--- a/common/scripts/sort_deps.js
+++ b/common/scripts/sort_deps.js
@@ -92,3 +92,3 @@
 
-    spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
+    spawnSync('prettier', ['-w', pkgJsonPath], {
       stdio: 'inherit',
@@ -106,3 +106,3 @@
 
-      spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
+      spawnSync('prettier', ['-w', pkgJsonPath], {
         stdio: 'inherit',
EOF
@@ -92,3 +92,3 @@

spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
spawnSync('prettier', ['-w', pkgJsonPath], {
stdio: 'inherit',
@@ -106,3 +106,3 @@

spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
spawnSync('prettier', ['-w', pkgJsonPath], {
stdio: 'inherit',
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
docs/src/markdown.tsx Outdated

function htmlRestore(str: string) {
let result = '';
result = str.replace(/&amp;/g, '&');

Check failure

Code scanning / CodeQL

Double escaping or unescaping High documentation

This replacement may produce '&' characters that are double-unescaped
here
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we need to adjust the order of unescaping in the htmlRestore function. Specifically, we should unescape the ampersand (&amp;) last to ensure that other entities are correctly unescaped first. This change will prevent any issues related to double unescaping.

Suggested changeset 1
docs/src/markdown.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/docs/src/markdown.tsx b/docs/src/markdown.tsx
--- a/docs/src/markdown.tsx
+++ b/docs/src/markdown.tsx
@@ -50,4 +50,3 @@
   let result = '';
-  result = str.replace(/&amp;/g, '&');
-  result = result.replace(/&lt;/g, '<');
+  result = str.replace(/&lt;/g, '<');
   result = result.replace(/&gt;/g, '>');
@@ -56,2 +55,3 @@
   result = result.replace(/&quot;/g, '"');
+  result = result.replace(/&amp;/g, '&');
   return result;
EOF
@@ -50,4 +50,3 @@
let result = '';
result = str.replace(/&amp;/g, '&');
result = result.replace(/&lt;/g, '<');
result = str.replace(/&lt;/g, '<');
result = result.replace(/&gt;/g, '>');
@@ -56,2 +55,3 @@
result = result.replace(/&quot;/g, '"');
result = result.replace(/&amp;/g, '&');
return result;
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
packages/vmind/src/common/utils/skylark.ts Outdated
};

const isStringArray = (str: string) => {
const regex = /^(.*)\: ".+"(, ".+")+$/;

Check failure

Code scanning / CodeQL

Inefficient regular expression High

This part of the regular expression may cause exponential backtracking on strings starting with ': "a", "' and containing many repetitions of 'a", "'.

Copilot Autofix AI 8 days ago

To fix the problem, we need to modify the regular expression to remove the ambiguity that causes exponential backtracking. Specifically, we can replace the .* and .+ patterns with more specific patterns that do not overlap in ambiguous ways. This can be achieved by using negated character classes to ensure that each part of the regular expression matches a distinct set of characters.

  • Replace .* with [^:]* to match any sequence of characters that does not include a colon.
  • Replace .+ with [^"]+ to match any sequence of characters that does not include a double quote.

These changes will ensure that the regular expression is more efficient and does not suffer from exponential backtracking.

Suggested changeset 1
packages/vmind/src/common/utils/skylark.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vmind/src/common/utils/skylark.ts b/packages/vmind/src/common/utils/skylark.ts
--- a/packages/vmind/src/common/utils/skylark.ts
+++ b/packages/vmind/src/common/utils/skylark.ts
@@ -51,3 +51,3 @@
 const isStringArray = (str: string) => {
-  const regex = /^(.*)\: ".+"(, ".+")+$/;
+  const regex = /^([^:]+)\: "[^"]+"(, "[^"]+")+$/;
   return regex.test(str);
EOF
@@ -51,3 +51,3 @@
const isStringArray = (str: string) => {
const regex = /^(.*)\: ".+"(, ".+")+$/;
const regex = /^([^:]+)\: "[^"]+"(, "[^"]+")+$/;
return regex.test(str);
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
packages/vmind/src/core/VMind.ts Outdated
this._applicationMap[name] = {};
}
this._applicationMap[name][modelType] = new BaseApplication(applicationMeta);
return;

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we need to ensure that the name property from applicationMeta cannot be used to modify Object.prototype. This can be achieved by checking if name is one of the dangerous values (__proto__, constructor, prototype) before using it as a key in the assignment. If name matches any of these values, we should throw an error or handle it appropriately.

Suggested changeset 1
packages/vmind/src/core/VMind.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vmind/src/core/VMind.ts b/packages/vmind/src/core/VMind.ts
--- a/packages/vmind/src/core/VMind.ts
+++ b/packages/vmind/src/core/VMind.ts
@@ -65,2 +65,5 @@
     const { name } = applicationMeta;
+    if (name === '__proto__' || name === 'constructor' || name === 'prototype') {
+      throw new Error('Invalid application name');
+    }
     if (!this._applicationMap[name]) {
EOF
@@ -65,2 +65,5 @@
const { name } = applicationMeta;
if (name === '__proto__' || name === 'constructor' || name === 'prototype') {
throw new Error('Invalid application name');
}
if (!this._applicationMap[name]) {
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
packages/vmind/src/core/VMind.ts Outdated
if (originalTaskNode) {
originalTaskNode.taskNode = taskNode.taskNode;
this._applicationMap[applicationName][modelType] = new BaseApplication(applicationMeta);
} else {

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we need to ensure that applicationName cannot be a dangerous value like __proto__, constructor, or prototype. One way to do this is to validate applicationName before using it as a key in an object assignment. We can add a check to ensure that applicationName does not match any of these dangerous values. If it does, we can throw an error or handle it appropriately.

Suggested changeset 1
packages/vmind/src/core/VMind.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vmind/src/core/VMind.ts b/packages/vmind/src/core/VMind.ts
--- a/packages/vmind/src/core/VMind.ts
+++ b/packages/vmind/src/core/VMind.ts
@@ -73,2 +73,5 @@
   setTaskNode(applicationName: string, modelType: ModelType | string, taskNode: TaskNode<any>) {
+    if (applicationName === '__proto__' || applicationName === 'constructor' || applicationName === 'prototype') {
+      throw 'Invalid application name!';
+    }
     const applicationMeta = this._runtimeMetaMap[applicationName]?.[modelType];
EOF
@@ -73,2 +73,5 @@
setTaskNode(applicationName: string, modelType: ModelType | string, taskNode: TaskNode<any>) {
if (applicationName === '__proto__' || applicationName === 'constructor' || applicationName === 'prototype') {
throw 'Invalid application name!';
}
const applicationMeta = this._runtimeMetaMap[applicationName]?.[modelType];
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@666haiwen 666haiwen merged commit 53642b8 into develop Feb 23, 2025
6 of 8 checks passed
@666haiwen 666haiwen deleted the sync/main-1.2.13 branch February 23, 2025 11:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
calculator chart-advisor vmind
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@666haiwen @xile611