Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auto release] release 1.3.1 #170

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Auto release] release 1.3.1 #170

wants to merge 1 commit into from

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Dec 3, 2024

No description provided.

@github-actions github-actions bot requested a review from da730 December 3, 2024 08:55
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 20, 2025
View reviewed changes
.github/workflows/pr-check.yml Outdated
Comment on lines 9 to 29
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [20.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/

steps:
- uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
cache-dependency-path: './common/config/rush/pnpm-lock.yaml'

- uses: xile611/pr-type-check@main
with:
pull_request_body: |
${{ github.event.pull_request.body }}
pull_request_head: ${{ github.event.pull_request.head.ref }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions Job or Workflow does not set permissions
.github/workflows/pr-check.yml Outdated
cache: 'npm'
cache-dependency-path: './common/config/rush/pnpm-lock.yaml'

- uses: xile611/pr-type-check@main

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Check of pull request' step
Uses Step
Loading
uses 'xile611/pr-type-check' with ref 'main', not a pinned commit hash
.github/workflows/pre-release.yml Outdated

- name: Parse semver version from branch name
id: semver_parser
uses: xile611/read-package-version-action@main

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Pre-release CI' step
Uses Step: semver_parser
Loading
uses 'xile611/read-package-version-action' with ref 'main', not a pinned commit hash
.github/workflows/pre-release.yml Outdated

- name: Get npm version
id: package-version
uses: xile611/read-package-version-action@main

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Pre-release CI' step
Uses Step: package-version
Loading
uses 'xile611/read-package-version-action' with ref 'main', not a pinned commit hash
.github/workflows/pre-release.yml Outdated
path: packages/vmind

- name: Commit & Push changes
uses: actions-js/push@master

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Pre-release CI' step
Uses Step
Loading
uses 'actions-js/push' with ref 'master', not a pinned commit hash
.github/workflows/release.yml Outdated

- name: Create Release for Tag
id: release_tag
uses: ncipollo/[email protected]

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Release CI' step
Uses Step: release_tag
Loading
uses 'ncipollo/release-action' with ref 'v1.12.0', not a pinned commit hash
.github/workflows/release.yml Outdated
draft: true #

- name: Create Pull Request
uses: dustinirving/[email protected]

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Release CI' step
Uses Step
Loading
uses 'dustinirving/create-pr' with ref 'v1.0.2', not a pinned commit hash
.github/workflows/sync-main-to-develop.yml Outdated

- name: Get version
id: package-version
uses: xile611/read-package-version-action@main

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Sync main to develop after release' step
Uses Step: package-version
Loading
uses 'xile611/read-package-version-action' with ref 'main', not a pinned commit hash
.github/workflows/sync-main-to-develop.yml Outdated
git push origin sync/main-${{ steps.package-version.outputs.current_version }}

- name: Create Pull Request
uses: dustinirving/[email protected]

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Sync main to develop after release' step
Uses Step
Loading
uses 'dustinirving/create-pr' with ref 'v1.0.2', not a pinned commit hash
.github/workflows/unit-test.yml Outdated
Comment on lines 14 to 37
runs-on: macOS-12

strategy:
matrix:
node-version: [18.x]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/

steps:
- uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
cache-dependency-path: './common/config/rush/pnpm-lock.yaml'

# Install rush
- name: Install rush
run: node common/scripts/install-run-rush.js install --bypass-policy

- name: Compile
run: node common/scripts/install-run-rush.js compile --only tag:package
- name: Test
run: node common/scripts/install-run-rush.js test --only tag:package

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions Job or Workflow does not set permissions
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 20, 2025
View reviewed changes
common/autoinstallers/lint/change-all.ts Outdated
Comment on lines 34 to 36
const result = spawnSync('sh', ['-c', `echo ${message} | ${commitLintBinPath} --config ${commitLineConfigPath}`], {
stdio: 'inherit'
});

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we should avoid constructing the shell command as a single string that the shell interprets. Instead, we should use the execFileSync or spawnSync functions with an array of arguments to pass the dynamic parts separately. This prevents the shell from misinterpreting special characters or spaces in the paths or message.

  1. Replace the spawnSync call on line 34 with a call to execFileSync or spawnSync that passes the command and arguments separately.
  2. Similarly, replace the spawnSync call on line 50 with a call that passes the command and arguments separately.
  3. Ensure that the message and bumpType variables are properly sanitized or escaped if necessary.
Suggested changeset 1
common/autoinstallers/lint/change-all.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/common/autoinstallers/lint/change-all.ts b/common/autoinstallers/lint/change-all.ts
--- a/common/autoinstallers/lint/change-all.ts
+++ b/common/autoinstallers/lint/change-all.ts
@@ -33,3 +33,4 @@
   } else {
-    const result = spawnSync('sh', ['-c', `echo ${message} | ${commitLintBinPath} --config ${commitLineConfigPath}`], {
+    const result = spawnSync(commitLintBinPath, ['--config', commitLineConfigPath], {
+      input: message,
       stdio: 'inherit'
@@ -49,3 +50,3 @@
 
-  spawnSync('sh', ['-c', `rush change --bulk --bump-type '${bumpType}' --message '${message}'`], {
+  spawnSync('rush', ['change', '--bulk', '--bump-type', bumpType, '--message', message], {
     stdio: 'inherit',
EOF
@@ -33,3 +33,4 @@
} else {
const result = spawnSync('sh', ['-c', `echo ${message} | ${commitLintBinPath} --config ${commitLineConfigPath}`], {
const result = spawnSync(commitLintBinPath, ['--config', commitLineConfigPath], {
input: message,
stdio: 'inherit'
@@ -49,3 +50,3 @@

spawnSync('sh', ['-c', `rush change --bulk --bump-type '${bumpType}' --message '${message}'`], {
spawnSync('rush', ['change', '--bulk', '--bump-type', bumpType, '--message', message], {
stdio: 'inherit',
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
common/autoinstallers/lint/commit-lint.js Outdated
Comment on lines 14 to 20
const result = child_process.spawnSync(
"sh",
["-c", `${commitlintBinPath} --config ${configPath} --cwd ${path.dirname(gitPath)} --edit`],
{
stdio: "inherit",
},
);

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we should avoid constructing the shell command as a single string and instead pass the command and its arguments separately to child_process.spawnSync. This way, the shell does not interpret the arguments, and we avoid issues with special characters in paths.

  • Replace the dynamic command string with an array of arguments.
  • Use child_process.spawnSync without the sh -c option to directly execute the command with the provided arguments.
Suggested changeset 1
common/autoinstallers/lint/commit-lint.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/common/autoinstallers/lint/commit-lint.js b/common/autoinstallers/lint/commit-lint.js
--- a/common/autoinstallers/lint/commit-lint.js
+++ b/common/autoinstallers/lint/commit-lint.js
@@ -14,4 +14,4 @@
 const result = child_process.spawnSync(
-  "sh",
-  ["-c", `${commitlintBinPath} --config ${configPath} --cwd ${path.dirname(gitPath)} --edit`],
+  commitlintBinPath,
+  ["--config", configPath, "--cwd", path.dirname(gitPath), "--edit"],
   {
EOF
@@ -14,4 +14,4 @@
const result = child_process.spawnSync(
"sh",
["-c", `${commitlintBinPath} --config ${configPath} --cwd ${path.dirname(gitPath)} --edit`],
commitlintBinPath,
["--config", configPath, "--cwd", path.dirname(gitPath), "--edit"],
{
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
common/scripts/sort_deps.js Outdated
Comment on lines 93 to 96
spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
stdio: 'inherit',
shell: false,
})

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we should avoid constructing the command string dynamically and instead pass the command and its arguments separately to spawnSync. This approach ensures that the arguments are not interpreted by the shell, thus preventing potential injection attacks.

We will modify the spawnSync calls to use execFileSync instead, passing the command and arguments as separate parameters. This change will be made in both instances where spawnSync is used.

Suggested changeset 1
common/scripts/sort_deps.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/common/scripts/sort_deps.js b/common/scripts/sort_deps.js
--- a/common/scripts/sort_deps.js
+++ b/common/scripts/sort_deps.js
@@ -92,5 +92,4 @@
 
-    spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
-      stdio: 'inherit',
-      shell: false,
+    spawnSync('prettier', ['-w', pkgJsonPath], {
+      stdio: 'inherit'
     })
@@ -106,5 +105,4 @@
 
-      spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
-        stdio: 'inherit',
-        shell: false,
+      spawnSync('prettier', ['-w', pkgJsonPath], {
+        stdio: 'inherit'
       }) 
EOF
@@ -92,5 +92,4 @@

spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
stdio: 'inherit',
shell: false,
spawnSync('prettier', ['-w', pkgJsonPath], {
stdio: 'inherit'
})
@@ -106,5 +105,4 @@

spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
stdio: 'inherit',
shell: false,
spawnSync('prettier', ['-w', pkgJsonPath], {
stdio: 'inherit'
})
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
common/scripts/sort_deps.js Outdated
Comment on lines 107 to 110
spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
stdio: 'inherit',
shell: false,
})

Check warning

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we should avoid constructing the command string dynamically and instead pass the command and its arguments separately to spawnSync. This approach ensures that the arguments are not interpreted by the shell, preventing any possibility of command injection.

  • Replace the dynamically constructed command string with separate command and arguments.
  • Use spawnSync with the prettier command and the -w argument followed by the pkgJsonPath.
Suggested changeset 1
common/scripts/sort_deps.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/common/scripts/sort_deps.js b/common/scripts/sort_deps.js
--- a/common/scripts/sort_deps.js
+++ b/common/scripts/sort_deps.js
@@ -92,3 +92,3 @@
 
-    spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
+    spawnSync('prettier', ['-w', pkgJsonPath], {
       stdio: 'inherit',
@@ -106,3 +106,3 @@
 
-      spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
+      spawnSync('prettier', ['-w', pkgJsonPath], {
         stdio: 'inherit',
EOF
@@ -92,3 +92,3 @@

spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
spawnSync('prettier', ['-w', pkgJsonPath], {
stdio: 'inherit',
@@ -106,3 +106,3 @@

spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
spawnSync('prettier', ['-w', pkgJsonPath], {
stdio: 'inherit',
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
docs/src/markdown.tsx Outdated

function htmlRestore(str: string) {
let result = '';
result = str.replace(/&amp;/g, '&');

Check failure

Code scanning / CodeQL

Double escaping or unescaping High documentation

This replacement may produce '&' characters that are double-unescaped
here
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we need to ensure that the htmlRestore function unescapes the ampersand (&amp;) last. This will prevent any issues with double unescaping, ensuring that other entities are correctly decoded before the ampersand is processed.

  • Change the order of the replacements in the htmlRestore function.
  • Specifically, move the line result = result.replace(/&amp;/g, '&'); to the end of the function.
Suggested changeset 1
docs/src/markdown.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/docs/src/markdown.tsx b/docs/src/markdown.tsx
--- a/docs/src/markdown.tsx
+++ b/docs/src/markdown.tsx
@@ -50,4 +50,3 @@
   let result = '';
-  result = str.replace(/&amp;/g, '&');
-  result = result.replace(/&lt;/g, '<');
+  result = str.replace(/&lt;/g, '<');
   result = result.replace(/&gt;/g, '>');
@@ -56,2 +55,3 @@
   result = result.replace(/&quot;/g, '"');
+  result = result.replace(/&amp;/g, '&');
   return result;
EOF
@@ -50,4 +50,3 @@
let result = '';
result = str.replace(/&amp;/g, '&');
result = result.replace(/&lt;/g, '<');
result = str.replace(/&lt;/g, '<');
result = result.replace(/&gt;/g, '>');
@@ -56,2 +55,3 @@
result = result.replace(/&quot;/g, '"');
result = result.replace(/&amp;/g, '&');
return result;
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
packages/vmind/src/common/utils/skylark.ts Outdated
};

const isStringArray = (str: string) => {
const regex = /^(.*)\: ".+"(, ".+")+$/;

Check failure

Code scanning / CodeQL

Inefficient regular expression High

This part of the regular expression may cause exponential backtracking on strings starting with ': "a", "' and containing many repetitions of 'a", "'.

Copilot Autofix AI 8 days ago

To fix the problem, we need to remove the ambiguity in the regular expression. The main issue is with the .* and .+ patterns, which can match overlapping parts of the input string. We can replace .* with a more specific pattern that matches any character except a double quote, ensuring that the regular expression remains efficient.

  • Replace .* with [^"]* to match any character except a double quote.
  • Ensure that the regular expression still matches the intended input strings without causing performance issues.
Suggested changeset 1
packages/vmind/src/common/utils/skylark.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vmind/src/common/utils/skylark.ts b/packages/vmind/src/common/utils/skylark.ts
--- a/packages/vmind/src/common/utils/skylark.ts
+++ b/packages/vmind/src/common/utils/skylark.ts
@@ -51,3 +51,3 @@
 const isStringArray = (str: string) => {
-  const regex = /^(.*)\: ".+"(, ".+")+$/;
+  const regex = /^([^"]*)\: ".+"(, ".+")+$/;
   return regex.test(str);
EOF
@@ -51,3 +51,3 @@
const isStringArray = (str: string) => {
const regex = /^(.*)\: ".+"(, ".+")+$/;
const regex = /^([^"]*)\: ".+"(, ".+")+$/;
return regex.test(str);
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
packages/vmind/src/core/VMind.ts Outdated
this._applicationMap[name] = {};
}
this._applicationMap[name][modelType] = new BaseApplication(applicationMeta);
return;

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we need to ensure that the name property from applicationMeta cannot be used to modify Object.prototype. We can achieve this by checking if name is one of the special properties (__proto__, constructor, prototype) and rejecting it if so. This will prevent prototype pollution while maintaining the existing functionality.

Suggested changeset 1
packages/vmind/src/core/VMind.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vmind/src/core/VMind.ts b/packages/vmind/src/core/VMind.ts
--- a/packages/vmind/src/core/VMind.ts
+++ b/packages/vmind/src/core/VMind.ts
@@ -65,2 +65,5 @@
     const { name } = applicationMeta;
+    if (name === '__proto__' || name === 'constructor' || name === 'prototype') {
+      throw new Error('Invalid application name');
+    }
     if (!this._applicationMap[name]) {
EOF
@@ -65,2 +65,5 @@
const { name } = applicationMeta;
if (name === '__proto__' || name === 'constructor' || name === 'prototype') {
throw new Error('Invalid application name');
}
if (!this._applicationMap[name]) {
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
packages/vmind/src/core/VMind.ts Outdated
if (originalTaskNode) {
originalTaskNode.taskNode = taskNode.taskNode;
this._applicationMap[applicationName][modelType] = new BaseApplication(applicationMeta);
} else {

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.

Copilot Autofix AI 8 days ago

To fix the problem, we need to ensure that the applicationName parameter cannot be used to modify the Object.prototype. This can be achieved by validating the applicationName to ensure it does not contain any special property names like __proto__, constructor, or prototype.

The best way to fix this without changing existing functionality is to add a validation check at the beginning of the setTaskNode method. If the applicationName is one of the restricted property names, we should throw an error or handle it appropriately.

Suggested changeset 1
packages/vmind/src/core/VMind.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vmind/src/core/VMind.ts b/packages/vmind/src/core/VMind.ts
--- a/packages/vmind/src/core/VMind.ts
+++ b/packages/vmind/src/core/VMind.ts
@@ -73,2 +73,5 @@
   setTaskNode(applicationName: string, modelType: ModelType | string, taskNode: TaskNode<any>) {
+    if (applicationName === '__proto__' || applicationName === 'constructor' || applicationName === 'prototype') {
+      throw 'Invalid application name!';
+    }
     const applicationMeta = this._runtimeMetaMap[applicationName]?.[modelType];
EOF
@@ -73,2 +73,5 @@
setTaskNode(applicationName: string, modelType: ModelType | string, taskNode: TaskNode<any>) {
if (applicationName === '__proto__' || applicationName === 'constructor' || applicationName === 'prototype') {
throw 'Invalid application name!';
}
const applicationMeta = this._runtimeMetaMap[applicationName]?.[modelType];
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@666haiwen 666haiwen force-pushed the release/1.3.1 branch 2 times, most recently from 963c635 to b5c9e78 Compare February 20, 2025 08:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@da730 da730 Awaiting requested review from da730

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
calculator chart-advisor release vmind
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@666haiwen