Merge main to docs #844
Merged
Merge main to docs #844
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Factored out the CVSS Score parsing from the table output into its own
function to reuse it in guided remediation. The new function also
returns the human-readable rating string ("LOW", "HIGH", etc.) which I
will end up using for the interactive guided remediation mode.
I also made some changes to the table output of the scores:
- Always render the scores to 1 decimal place, so `6.0` instead of just
`6`
- Display `0.0` if the CVSS score actually evaluates to 0, vs nothing
when there is no severity listed
Following on from #765, adds `ComputeRelaxPatches` for generating the possible remediation options after a relock. Also added a new(ish) cache for OSV API requests, which speeds up the above quite a bit.
This is to match the decision made when creating `exit_code_redirect.sh` to not fail if no lockfiles are found. With the reporter the action will still fail when lockfiles are not found, this just updates it so that it will not fail now.
Implementing #766 (comment) - Created `VulnerabilityClient` interface for OSV queries & to store cache - Renamed `ResolutionClient` to `DependencyClient` - Made new `ResolutionClient` struct, that's just both `DependencyClient` and `VulnerabilityClient` together
Add support for parsing package information from `pdm.lock` -files used by `pdm`, package and dependency manager for Python (https://pdm-project.org/latest/)
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | alpine | final | digest | `51b6726` -> `c5b1261` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | digest | `fd78f2f` -> `a6a7f1f` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
There's a new vulnerability in one of the test packages that's started being picked up.
The datasource and `DependencyClient` for querying the npm registry API directly, instead of relying on deps.dev. Also, parses `.npmrc` configs to allow resolution of requirements from private registries. Practically unchanged from what we had internally, besides a bunch of linting complaints.
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---|---|---| | [deps.dev/api/v3alpha](https://togithub.com/google/deps.dev) | require | digest | `00b51ef` -> `c339c64` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/resolve](https://togithub.com/google/deps.dev) | require | digest | `00b51ef` -> `c339c64` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/semver](https://togithub.com/google/deps.dev) | require | digest | `1e316b8` -> `c339c64` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/gkampitakis/go-snaps](https://togithub.com/gkampitakis/go-snaps) | require | minor | `v0.4.12` -> `v0.5.2` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/ianlancetaylor/demangle](https://togithub.com/ianlancetaylor/demangle) | require | digest | `964b1d5` -> `1f824a1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/jedib0t/go-pretty/v6](https://togithub.com/jedib0t/go-pretty) | require | patch | `v6.5.3` -> `v6.5.4` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [go](https://go.dev/) ([source](https://togithub.com/golang/go)) | golang | patch | `1.21.5` -> `1.21.6` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/exp | require | digest | `1b97071` -> `2c58cdc` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [google.golang.org/grpc](https://togithub.com/grpc/grpc-go) | require | minor | `v1.60.1` -> `v1.61.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go) | require | minor | `v1.31.0` -> `v1.32.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)</summary> ### [`v0.5.2`](https://togithub.com/gkampitakis/go-snaps/compare/v0.5.1...v0.5.2) [Compare Source](https://togithub.com/gkampitakis/go-snaps/compare/v0.5.1...v0.5.2) ### [`v0.5.1`](https://togithub.com/gkampitakis/go-snaps/releases/tag/v0.5.1) [Compare Source](https://togithub.com/gkampitakis/go-snaps/compare/v0.5.0...v0.5.1) #### What's Changed - fix: replace `Print` with `Println` by [@​G-Rath](https://togithub.com/G-Rath) in [https://github.com/gkampitakis/go-snaps/pull/94](https://togithub.com/gkampitakis/go-snaps/pull/94) **Full Changelog**: gkampitakis/go-snaps@v0.5.0...v0.5.1 ### [`v0.5.0`](https://togithub.com/gkampitakis/go-snaps/releases/tag/v0.5.0) [Compare Source](https://togithub.com/gkampitakis/go-snaps/compare/v0.4.12...v0.5.0) #### What's Changed - docs: improve readme code formatting and grammar by [@​G-Rath](https://togithub.com/G-Rath) in [https://github.com/gkampitakis/go-snaps/pull/85](https://togithub.com/gkampitakis/go-snaps/pull/85) - docs: improve `TestMain` references by [@​G-Rath](https://togithub.com/G-Rath) in [https://github.com/gkampitakis/go-snaps/pull/86](https://togithub.com/gkampitakis/go-snaps/pull/86) - chore(docs): minor improvements by [@​gkampitakis](https://togithub.com/gkampitakis) in [https://github.com/gkampitakis/go-snaps/pull/89](https://togithub.com/gkampitakis/go-snaps/pull/89) - chore: clean up test mocks and change getTestID param order by [@​gkampitakis](https://togithub.com/gkampitakis) in [https://github.com/gkampitakis/go-snaps/pull/92](https://togithub.com/gkampitakis/go-snaps/pull/92) - feat: don't create multiple snapshots when -test.count>1 by [@​gkampitakis](https://togithub.com/gkampitakis) in [https://github.com/gkampitakis/go-snaps/pull/90](https://togithub.com/gkampitakis/go-snaps/pull/90) #### Breaking changes ❗ On `v0.5.0` when running tests with `test.count>1` flag a call to create a snapshot will not create multiple instances of the same snapshot, but it will create the snapshot once and then subsequent execution will test against that snapshot. Look at issue [https://github.com/gkampitakis/go-snaps/issues/87](https://togithub.com/gkampitakis/go-snaps/issues/87) #### New Contributors - [@​G-Rath](https://togithub.com/G-Rath) made their first contribution in [https://github.com/gkampitakis/go-snaps/pull/85](https://togithub.com/gkampitakis/go-snaps/pull/85) **Full Changelog**: gkampitakis/go-snaps@v0.4.12...v0.5.0 </details> <details> <summary>jedib0t/go-pretty (github.com/jedib0t/go-pretty/v6)</summary> ### [`v6.5.4`](https://togithub.com/jedib0t/go-pretty/releases/tag/v6.5.4) [Compare Source](https://togithub.com/jedib0t/go-pretty/compare/v6.5.3...v6.5.4) #### What's Changed - table: fix SuppressTrailingSpaces removing spaces from the beginning by [@​ilya-lesikov](https://togithub.com/ilya-lesikov) in [https://github.com/jedib0t/go-pretty/pull/295](https://togithub.com/jedib0t/go-pretty/pull/295) - table: fix documentation for merges by [@​jedib0t](https://togithub.com/jedib0t) in [https://github.com/jedib0t/go-pretty/pull/296](https://togithub.com/jedib0t/go-pretty/pull/296) #### New Contributors - [@​ilya-lesikov](https://togithub.com/ilya-lesikov) made their first contribution in [https://github.com/jedib0t/go-pretty/pull/295](https://togithub.com/jedib0t/go-pretty/pull/295) **Full Changelog**: jedib0t/go-pretty@v6.5.3...v6.5.4 </details> <details> <summary>golang/go (go)</summary> ### [`v1.21.6`](https://togithub.com/golang/go/compare/go1.21.5...go1.21.6) </details> <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.61.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.61.0): Release 1.61.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.60.1...v1.61.0) ### New Features - resolver: provide method, `AuthorityOverrider`, to allow resolver.Builders to override the default authority for a `ClientConn`. (EXPERIMENTAL) ([#​6752](https://togithub.com/grpc/grpc-go/issues/6752)) - Special Thanks: [@​Aditya-Sood](https://togithub.com/Aditya-Sood) - xds: add support for mTLS Credentials in xDS bootstrap ([gRFC A65](github.com/grpc/proposal/blob/8c31bfedded5f0a51c4933e9e9a8246122f9c41a/A65-xds-mtls-creds-in-bootstrap.md)) ([#​6757](https://togithub.com/grpc/grpc-go/issues/6757)) - Special Thanks: [@​atollena](https://togithub.com/atollena) - server: add `grpc.WaitForHandlers` `ServerOption` to cause `Server.Stop` to block until method handlers return. (EXPERIMENTAL) ([#​6922](https://togithub.com/grpc/grpc-go/issues/6922)) ### Performance Improvements - grpc: skip compression of empty messages as an optimization ([#​6842](https://togithub.com/grpc/grpc-go/issues/6842)) - Special Thanks: [@​jroper](https://togithub.com/jroper) - orca: use atomic pointer to improve performance in server metrics recorder ([#​6799](https://togithub.com/grpc/grpc-go/issues/6799)) - Special Thanks: [@​danielzhaotongliu](https://togithub.com/danielzhaotongliu) ### Bug Fixes - client: correctly enable TCP keepalives with OS defaults on windows ([#​6863](https://togithub.com/grpc/grpc-go/issues/6863)) - Special Thanks: [@​mmatczuk](https://togithub.com/mmatczuk) - server: change some stream operations to return `UNAVAILABLE` instead of `UNKNOWN` when underlying connection is broken ([#​6891](https://togithub.com/grpc/grpc-go/issues/6891)) - Special Thanks: [@​mustafasen81](https://togithub.com/mustafasen81) - server: fix `GracefulStop` to block until all method handlers return (v1.60 regression). ([#​6922](https://togithub.com/grpc/grpc-go/issues/6922)) - server: fix two bugs that could lead to panics at shutdown when using [`NumStreamWorkers`](https://pkg.go.dev/google.golang.org/grpc#NumStreamWorkers) (EXPERIMENTAL). ([#​6856](https://togithub.com/grpc/grpc-go/issues/6856)) - reflection: do not send invalid descriptors to clients for files that cannot be fully resolved ([#​6771](https://togithub.com/grpc/grpc-go/issues/6771)) - Special Thanks: [@​jhump](https://togithub.com/jhump) - xds: don't fail channel/server startup when xds creds is specified, but bootstrap is missing certificate providers ([#​6848](https://togithub.com/grpc/grpc-go/issues/6848)) - xds: Atomically read and write xDS security configuration client side ([#​6796](https://togithub.com/grpc/grpc-go/issues/6796)) - xds/server: fix RDS handling for non-inline route configs ([#​6915](https://togithub.com/grpc/grpc-go/issues/6915)) </details> <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: protocolbuffers/protobuf-go@v1.31.0...v1.32.0 This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [https://github.com/golang/protobuf/issues/1583](https://togithub.com/golang/protobuf/issues/1583) and [https://github.com/golang/protobuf/issues/1584](https://togithub.com/golang/protobuf/issues/1584) for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | minor | `v4.2.0` -> `v4.3.1` | | [codecov/codecov-action](https://togithub.com/codecov/codecov-action) | action | patch | `v3.1.4` -> `v3.1.6` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v3.23.1` -> `v3.24.0` | --- ### Release Notes <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.3.1`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.1) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.0...v4.3.1) - Bump [@​actions/artifacts](https://togithub.com/actions/artifacts) to latest version to include [updated GHES host check](https://togithub.com/actions/toolkit/pull/1648) ### [`v4.3.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.2.0...v4.3.0) ##### What's Changed - Reorganize upload code in prep for merge logic & add more tests by [@​robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/504](https://togithub.com/actions/upload-artifact/pull/504) - Add sub-action to merge artifacts by [@​robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/505](https://togithub.com/actions/upload-artifact/pull/505) **Full Changelog**: actions/upload-artifact@v4...v4.3.0 </details> <details> <summary>codecov/codecov-action (codecov/codecov-action)</summary> ### [`v3.1.6`](https://togithub.com/codecov/codecov-action/releases/tag/v3.1.6) [Compare Source](https://togithub.com/codecov/codecov-action/compare/v3.1.5...v3.1.6) **Full Changelog**: codecov/codecov-action@v3.1.5...v3.1.6 ### [`v3.1.5`](https://togithub.com/codecov/codecov-action/releases/tag/v3.1.5) [Compare Source](https://togithub.com/codecov/codecov-action/compare/v3.1.4...v3.1.5) #### What's Changed - action.yml: Update to Node.js 20 by [@​hallabro](https://togithub.com/hallabro) in [https://github.com/codecov/codecov-action/pull/1228](https://togithub.com/codecov/codecov-action/pull/1228) #### New Contributors - [@​hallabro](https://togithub.com/hallabro) made their first contribution in [https://github.com/codecov/codecov-action/pull/1228](https://togithub.com/codecov/codecov-action/pull/1228) **Full Changelog**: codecov/codecov-action@v3.1.4...v3.1.5 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.24.0`](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0) ### [`v3.23.2`](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.15.5 to 1.16.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p> <blockquote> <h2>v1.16.2 / 2024-02-04</h2> <h3>Security</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j">GHSA-xc9x-jj77-9p9j</a> for more information.</li> </ul> <h3>Dependencies</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5">v2.12.5</a> from v2.12.4. (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> </ul> <hr /> <p>sha256 checksums:</p> <pre><code>69ba15d2a2498324489ed63850997f0b8f684260114ea81116d3082f16551d2d nokogiri-1.16.2-aarch64-linux.gem 6a05ce42e3587a40cf8936ece0beaa5d32922254215d2e8cf9ad40588bb42e57 nokogiri-1.16.2-arm-linux.gem c957226c8e36b31be6a3afb8602e2128282bf8b40ea51016c4cd21aa2608d3f8 nokogiri-1.16.2-arm64-darwin.gem 122652bfc338cd8a54a692ac035e245e41fd3b8283299202ca26e7a7d50db310 nokogiri-1.16.2-java.gem 7344b5072ca69fc5bedb61cb01a3b765b93a27aae5a2a845c2ba7200e4345074 nokogiri-1.16.2-x64-mingw-ucrt.gem a2a5e184a424111a0d5b77947986484920ad708009c667f061e8d02035c562dd nokogiri-1.16.2-x64-mingw32.gem 833efddeb51a6c2c9f6356295623c2b2e0d50050d468695c59bd929162953323 nokogiri-1.16.2-x86-linux.gem e67fc0418dffaff9dc8b1dc65f0605282c3fee9488832d0223b620b4319e0b53 nokogiri-1.16.2-x86-mingw32.gem 5def799e5f139f21a79d7cf71172313a7b6fb0e4b2a31ab9bd5d4ad305994539 nokogiri-1.16.2-x86_64-darwin.gem 5b146240ac6ec6c40fd4367623e74442bca45a542bd3282b1d4d18b07b8e5dfe nokogiri-1.16.2-x86_64-linux.gem 68922ee5cde27497d995c46f2821957bae961947644eed2822d173daf7567f9c nokogiri-1.16.2.gem </code></pre> <h2>v1.16.1 / 2024-02-03</h2> <h3>Dependencies</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.4">v2.12.4</a> from v2.12.3. (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> </ul> <h3>Fixed</h3> <ul> <li>[CRuby] <code>XML::Reader</code> defaults the encoding to UTF-8 if it's not specified in either the document or as a method parameter. Previously non-ASCII characters were serialized as NCRs in this case. <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/2891">#2891</a> (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> <li>[CRuby] Restored support for compilation by GCC versions earlier than 4.6, which was broken in v1.15.0 (540e9aee). <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3090">#3090</a> (<a href="https://github.com/adfoster-r7"><code>@adfoster-r7</code></a>)</li> <li>[CRuby] Patched upstream libxml2 to allow parsing HTML5 in the context of a namespaced node (e.g., foreign content like MathML). [#3112, <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3116">#3116</a>] (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> <li>[CRuby] Fixed a small memory leak in libgumbo (HTML5 parser) when the maximum tree depth limit is hit. [#3098, <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3100">#3100</a>] (<a href="https://github.com/stevecheckoway"><code>@stevecheckoway</code></a>)</li> </ul> <hr /> <p>sha256 checksums:</p> <pre><code>a541f35e5b9798a0c97300f9ee18f4217da2a2945a6d5499e4123b9018f9cafc nokogiri-1.16.1-aarch64-linux.gem 6b82affd195000ab2f9c36cc08744ec2d2fcf6d8da88d59a2db67e83211f7c69 nokogiri-1.16.1-arm-linux.gem </tr></table> </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md">nokogiri's changelog</a>.</em></p> <blockquote> <h2>v1.16.2 / 2024-02-04</h2> <h3>Security</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j">GHSA-xc9x-jj77-9p9j</a> for more information.</li> </ul> <h3>Dependencies</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5">v2.12.5</a> from v2.12.4. (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> </ul> <h2>v1.16.1 / 2024-02-03</h2> <h3>Dependencies</h3> <ul> <li>[CRuby] Vendored libxml2 is updated to <a href="https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.4">v2.12.4</a> from v2.12.3. (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> </ul> <h3>Fixed</h3> <ul> <li>[CRuby] <code>XML::Reader</code> defaults the encoding to UTF-8 if it's not specified in either the document or as a method parameter. Previously non-ASCII characters were serialized as NCRs in this case. <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/2891">#2891</a> (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> <li>[CRuby] Restored support for compilation by GCC versions earlier than 4.6, which was broken in v1.15.0 (540e9aee). <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3090">#3090</a> (<a href="https://github.com/adfoster-r7"><code>@adfoster-r7</code></a>)</li> <li>[CRuby] Patched upstream libxml2 to allow parsing HTML5 in the context of a namespaced node (e.g., foreign content like MathML). [#3112, <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3116">#3116</a>] (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</li> <li>[CRuby] Fixed a small memory leak in libgumbo (HTML5 parser) when the maximum tree depth limit is hit. [#3098, <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3100">#3100</a>] (<a href="https://github.com/stevecheckoway"><code>@stevecheckoway</code></a>)</li> </ul> <h2>v1.16.0 / 2023-12-27</h2> <h3>Notable Changes</h3> <h4>Ruby</h4> <p>This release introduces native gem support for Ruby 3.3.</p> <p>This release ends support for Ruby 2.7, for which <a href="https://www.ruby-lang.org/en/downloads/branches/">upstream support ended 2023-03-31</a>.</p> <h4>Pattern matching</h4> <p>This version marks <em>official support</em> for the pattern matching API in <code>XML::Attr</code>, <code>XML::Document</code>, <code>XML::DocumentFragment</code>, <code>XML::Namespace</code>, <code>XML::Node</code>, and <code>XML::NodeSet</code> (and their subclasses), originally introduced as an experimental feature in v1.14.0. (<a href="https://github.com/flavorjones"><code>@flavorjones</code></a>)</p> <p>Documentation on what can be matched:</p> <ul> <li><a href="https://nokogiri.org/rdoc/Nokogiri/XML/Attr.html?h=deconstruct#method-i-deconstruct_keys"><code>XML::Attr#deconstruct_keys</code></a></li> <li><a href="https://nokogiri.org/rdoc/Nokogiri/XML/Document.html?h=deconstruct#method-i-deconstruct_keys"><code>XML::Document#deconstruct_keys</code></a></li> <li><a href="https://nokogiri.org/rdoc/Nokogiri/XML/Namespace.html?h=deconstruct+namespace#method-i-deconstruct_keys"><code>XML::Namespace#deconstruct_keys</code></a></li> <li><a href="https://nokogiri.org/rdoc/Nokogiri/XML/Node.html?h=deconstruct#method-i-deconstruct_keys"><code>XML::Node#deconstruct_keys</code></a></li> <li><a href="https://nokogiri.org/rdoc/Nokogiri/XML/DocumentFragment.html?h=deconstruct#method-i-deconstruct"><code>XML::DocumentFragment#deconstruct</code></a></li> <li><a href="https://nokogiri.org/rdoc/Nokogiri/XML/NodeSet.html?h=deconstruct#method-i-deconstruct"><code>XML::NodeSet#deconstruct</code></a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sparklemotion/nokogiri/commit/673756fdd69d1036874b7d7250cc38a51fd4d7b8"><code>673756f</code></a> version bump to v1.16.2</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/74ffd67a8efb9972657e5c4625fd8419bbccbe06"><code>74ffd67</code></a> dep: update libxml to 2.12.5 (branch v1.16.x) (<a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3122">#3122</a>)</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/0d4018dc7009580659c101fc41efb3babcfec229"><code>0d4018d</code></a> dep: update libxml2 to v2.12.5</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/f33a25f4378df33912ebc6b4ebc0f9e8e80ddfa8"><code>f33a25f</code></a> dep: remove patch from <a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3112">#3112</a> which has been released upstream</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/e99416896a182bc520a7940bbe286ec33597ab2b"><code>e994168</code></a> version bump to v1.16.1</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/77ea2f228c20e79c848ca2906813ea5b5010281b"><code>77ea2f2</code></a> dev: add files to manifest ignore list</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/756f27c6b7a23294d84bdcca5e03a639d0dd7421"><code>756f27c</code></a> build(deps): bump actions/{download,upload}-artifact from 3 to 4</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/464f8d41eb73ca9c6dae0b366afcf5f4e8bff342"><code>464f8d4</code></a> .gitignore: clangd-related files</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/2beeb960691df28dd5ebf828192c65b60250670f"><code>2beeb96</code></a> doc: update CHANGELOG</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/a26536d7a41fd40c52940e165bb5a4f6b4c39662"><code>a26536d</code></a> fix: apply upstream patch for in-context parsing (<a href="https://redirect.github.com/sparklemotion/nokogiri/issues/3116">#3116</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sparklemotion/nokogiri/compare/v1.15.5...v1.16.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/google/osv-scanner/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Adds the lockfile parsing for in-place updating. Code is mostly unchanged from what exists internally, mostly just split it up into multiple files. I've reused and added to the existing (public) npm structs, but this shouldn't impact the scan action.
Adding in-place update computation, for finding 'drop-in' fixes of vulns in indirect dependencies. I did end up rewriting a lot of this, so I'd appreciate a more thorough review of this PR. Something to note for the future: unlike what happens internally, the returned patches can be incompatible with each other (i.e. could possibly suggest two different versions for the same package). I'll need to make sure the caller handles this possibility.
Just the `osv-scanner fix` flag parsing, the command itself doesn't do anything. I'd appreciate opinions on the naming/aliasing of the flags.
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v3.24.0` -> `v3.24.1` | | [golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action) | action | patch | `v3.7.0` -> `v3.7.1` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.24.1`](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1) </details> <details> <summary>golangci/golangci-lint-action (golangci/golangci-lint-action)</summary> ### [`v3.7.1`](https://togithub.com/golangci/golangci-lint-action/compare/v3.7.0...v3.7.1) [Compare Source](https://togithub.com/golangci/golangci-lint-action/compare/v3.7.0...v3.7.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github-pages](https://togithub.com/github/pages-gem) | `"~> 228"` -> `"~> 230"` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>github/pages-gem (github-pages)</summary> ### [`v230`](https://togithub.com/github/pages-gem/releases/tag/v230) [Compare Source](https://togithub.com/github/pages-gem/compare/v229...v230) #### What's Changed - Bump docker/login-action from 2 to 3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/github/pages-gem/pull/907](https://togithub.com/github/pages-gem/pull/907) - Bump docker/build-push-action from 4 to 5 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/github/pages-gem/pull/905](https://togithub.com/github/pages-gem/pull/905) - Bump docker/setup-buildx-action from 2 to 3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/github/pages-gem/pull/906](https://togithub.com/github/pages-gem/pull/906) - Bump Jekyll to 3.9.5 by [@​yoannchaudet](https://togithub.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/908](https://togithub.com/github/pages-gem/pull/908) **Full Changelog**: github/pages-gem@v229...v230 ### [`v229`](https://togithub.com/github/pages-gem/releases/tag/v229) [Compare Source](https://togithub.com/github/pages-gem/compare/v228...v229) #### What's Changed - Bump docker/metadata-action from 4 to 5 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/github/pages-gem/pull/889](https://togithub.com/github/pages-gem/pull/889) - Bump actions/checkout from 3 to 4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/github/pages-gem/pull/888](https://togithub.com/github/pages-gem/pull/888) - Fixes `$github-pages health-check` NoMethodError by [@​edward](https://togithub.com/edward) in [https://github.com/github/pages-gem/pull/878](https://togithub.com/github/pages-gem/pull/878) - Support Ruby 3.2+, fixes [#​879](https://togithub.com/github/pages-gem/issues/879) by [@​fulldecent](https://togithub.com/fulldecent) in [https://github.com/github/pages-gem/pull/880](https://togithub.com/github/pages-gem/pull/880) - Create publish-gem.yml by [@​tsusdere](https://togithub.com/tsusdere) in [https://github.com/github/pages-gem/pull/898](https://togithub.com/github/pages-gem/pull/898) - Bump actions/checkout from 3 to 4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/github/pages-gem/pull/900](https://togithub.com/github/pages-gem/pull/900) - Enable multi arch docker image build by [@​rngtng](https://togithub.com/rngtng) in [https://github.com/github/pages-gem/pull/884](https://togithub.com/github/pages-gem/pull/884) - Bring back proper support for Ruby 3.x by [@​yoannchaudet](https://togithub.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/901](https://togithub.com/github/pages-gem/pull/901) - Bump dependencies (patch and minor only) by [@​yoannchaudet](https://togithub.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/902](https://togithub.com/github/pages-gem/pull/902) - Fix release script by [@​yoannchaudet](https://togithub.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/903](https://togithub.com/github/pages-gem/pull/903) - Another publish script fix by [@​yoannchaudet](https://togithub.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/904](https://togithub.com/github/pages-gem/pull/904) #### New Contributors - [@​edward](https://togithub.com/edward) made their first contribution in [https://github.com/github/pages-gem/pull/878](https://togithub.com/github/pages-gem/pull/878) - [@​fulldecent](https://togithub.com/fulldecent) made their first contribution in [https://github.com/github/pages-gem/pull/880](https://togithub.com/github/pages-gem/pull/880) - [@​tsusdere](https://togithub.com/tsusdere) made their first contribution in [https://github.com/github/pages-gem/pull/898](https://togithub.com/github/pages-gem/pull/898) - [@​rngtng](https://togithub.com/rngtng) made their first contribution in [https://github.com/github/pages-gem/pull/884](https://togithub.com/github/pages-gem/pull/884) **Full Changelog**: github/pages-gem@v228...v229 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---|---|---| | [deps.dev/api/v3alpha](https://togithub.com/google/deps.dev) | require | digest | `c339c64` -> `1729b62` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/resolve](https://togithub.com/google/deps.dev) | require | digest | `c339c64` -> `1729b62` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/semver](https://togithub.com/google/deps.dev) | require | digest | `c339c64` -> `1729b62` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [go](https://go.dev/) ([source](https://togithub.com/golang/go)) | golang | minor | `1.21.6` -> `1.22.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/exp | require | digest | `2c58cdc` -> `ec58324` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/mod | require | minor | `v0.14.0` -> `v0.15.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/term | require | minor | `v0.16.0` -> `v0.17.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [google.golang.org/grpc](https://togithub.com/grpc/grpc-go) | require | patch | `v1.61.0` -> `v1.61.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>golang/go (go)</summary> ### [`v1.22.0`](https://togithub.com/golang/go/compare/go1.21.7...go1.22rc1) ### [`v1.21.7`](https://togithub.com/golang/go/compare/go1.21.6...go1.21.7) </details> <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.61.1`](https://togithub.com/grpc/grpc-go/releases/tag/v1.61.1): Release 1.61.1 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.61.0...v1.61.1) ### Bug Fixes - server: wait to close connection until incoming socket is drained (with timeout) to prevent data loss on client-side ([#​6977](https://togithub.com/grpc/grpc-go/issues/6977)) - Special Thanks: [@​s-matyukevich](https://togithub.com/s-matyukevich) for discovering the root cause </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | digest | `a6a7f1f` -> `8e96e6c` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Adds the `osv-scanner/[VERSION]` user agent the grpc requests going to the deps.dev API. I thought it'd be nice to for deps.dev to be able to see which traffic is coming from license scanning and guided remediation. CC: @josieang
Update main with new docs updates. --------- Signed-off-by: Hayley Denbraver <[email protected]> Co-authored-by: Hayley Denbraver <[email protected]> Co-authored-by: josieang <[email protected]> Co-authored-by: Giovanni Bozzano <[email protected]> Co-authored-by: Xueqin Cui <[email protected]> Co-authored-by: Gareth Jones <[email protected]> Co-authored-by: Mend Renovate <[email protected]> Co-authored-by: Jahan Chaware <[email protected]> Co-authored-by: Holly Gong <[email protected]>
It actually can be used now 🎉 This is basically re-written from the internal equivalent, but it should be functionally similar. Probably will end up extracting some code to use with the interactive code when I end up needing it. imo, non-interactive mode is currently too opaque to be generally useful - there's no indication of what vulnerabilities exist and which get fixed.
PoC of container scanning using stereoscope. The feature is currently behind the `--experimental-oci-image` flag.
The final part to open source 🎉 I really want to spend some time refactoring all of this, but it's probably better to get this out there sooner rather than later. To help with reviewing, the first commit (e366995) is basically a direct copy-paste from the internal code, with things only renamed to the new counterparts in osv-scanner - it should all already have been reviewed. [You can see new things to review by comparing the other commits against that first one.](https://github.com/google/osv-scanner/pull/811/files/e3669953445e7744b08dc079f92d3fc990150296..HEAD)
This PR adds the implementation for Maven version suggester: - The latest version of the specified package is returned based on the given options. - A version range requirement will be replaced to the latest version if this version does not satisfy the constraint. - Major updates can be ignored with option `NoMajorUpdates` set to true.
The package name is now `suggester`.
This PR adds the implementation to read and write Maven manifest file (pom.xml) for automated updates: - Read: parse pom.xml and convert `maven.Project` to `Manifest` - Write: update pom.xml with the given `ManifestPatch` This is the internally reviewed version.
I've used the `dep.Dev` type in the in-place parsed graph to flag dev dependencies. Ideally, I'd also be able to do the same with the relock graph, it's just that the npm resolver does not resolve any dev dependencies
regarding : #741 As discussed with google team, moving to using cached local db when not running acceptance tests. --------- Co-authored-by: Gareth Jones <[email protected]>
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [docker/setup-buildx-action](https://togithub.com/docker/setup-buildx-action) | action | digest | `f95db51` -> `0d103c3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v3.24.1` -> `v3.24.5` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.24.5`](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5) ### [`v3.24.4`](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4) ### [`v3.24.3`](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3) ### [`v3.24.2`](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOTEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIxMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [codecov/codecov-action](https://togithub.com/codecov/codecov-action) | action | major | `v3.1.6` -> `v4.1.0` | | [golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action) | action | major | `v3.7.1` -> `v4.0.0` | --- ### Release Notes <details> <summary>codecov/codecov-action (codecov/codecov-action)</summary> ### [`v4.1.0`](https://togithub.com/codecov/codecov-action/compare/v4.0.2...v4.1.0) [Compare Source](https://togithub.com/codecov/codecov-action/compare/v4.0.2...v4.1.0) ### [`v4.0.2`](https://togithub.com/codecov/codecov-action/releases/tag/v4.0.2) [Compare Source](https://togithub.com/codecov/codecov-action/compare/v4.0.1...v4.0.2) ##### What's Changed - Update README.md by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1251](https://togithub.com/codecov/codecov-action/pull/1251) - build(deps-dev): bump [@​types/jest](https://togithub.com/types/jest) from 29.5.11 to 29.5.12 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1257](https://togithub.com/codecov/codecov-action/pull/1257) - build(deps): bump github/codeql-action from 3.23.2 to 3.24.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1266](https://togithub.com/codecov/codecov-action/pull/1266) - Escape pipes in table of arguments by [@​jwodder](https://togithub.com/jwodder) in [https://github.com/codecov/codecov-action/pull/1265](https://togithub.com/codecov/codecov-action/pull/1265) - Add link to docs on Dependabot secrets by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/codecov/codecov-action/pull/1260](https://togithub.com/codecov/codecov-action/pull/1260) - fix: working-directory input for all stages by [@​Bo98](https://togithub.com/Bo98) in [https://github.com/codecov/codecov-action/pull/1272](https://togithub.com/codecov/codecov-action/pull/1272) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.20.0 to 6.21.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1271](https://togithub.com/codecov/codecov-action/pull/1271) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.20.0 to 6.21.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1269](https://togithub.com/codecov/codecov-action/pull/1269) - build(deps): bump github/codeql-action from 3.24.0 to 3.24.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1298](https://togithub.com/codecov/codecov-action/pull/1298) - Use updated syntax for GitHub Markdown notes by [@​jamacku](https://togithub.com/jamacku) in [https://github.com/codecov/codecov-action/pull/1300](https://togithub.com/codecov/codecov-action/pull/1300) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.21.0 to 7.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1290](https://togithub.com/codecov/codecov-action/pull/1290) - build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1286](https://togithub.com/codecov/codecov-action/pull/1286) - chore(release): bump to 4.0.2 by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1302](https://togithub.com/codecov/codecov-action/pull/1302) ##### New Contributors - [@​jwodder](https://togithub.com/jwodder) made their first contribution in [https://github.com/codecov/codecov-action/pull/1265](https://togithub.com/codecov/codecov-action/pull/1265) - [@​ianlewis](https://togithub.com/ianlewis) made their first contribution in [https://github.com/codecov/codecov-action/pull/1260](https://togithub.com/codecov/codecov-action/pull/1260) - [@​Bo98](https://togithub.com/Bo98) made their first contribution in [https://github.com/codecov/codecov-action/pull/1272](https://togithub.com/codecov/codecov-action/pull/1272) - [@​jamacku](https://togithub.com/jamacku) made their first contribution in [https://github.com/codecov/codecov-action/pull/1300](https://togithub.com/codecov/codecov-action/pull/1300) **Full Changelog**: https://github.com/codecov/codecov-action/compare/v4.0.1...v4.0.2 ### [`v4.0.1`](https://togithub.com/codecov/codecov-action/releases/tag/v4.0.1) [Compare Source](https://togithub.com/codecov/codecov-action/compare/v4.0.0...v4.0.1) ##### What's Changed - Update README.md by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1243](https://togithub.com/codecov/codecov-action/pull/1243) - Add all args by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1245](https://togithub.com/codecov/codecov-action/pull/1245) - fix: show both token uses in readme by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1250](https://togithub.com/codecov/codecov-action/pull/1250) **Full Changelog**: https://github.com/codecov/codecov-action/compare/v4.0.0...v4.0.1 ### [`v4.0.0`](https://togithub.com/codecov/codecov-action/releases/tag/v4.0.0) [Compare Source](https://togithub.com/codecov/codecov-action/compare/v3.1.6...v4.0.0) v4 of the Codecov Action uses the [CLI](https://docs.codecov.com/docs/the-codecov-cli) as the underlying upload. The CLI has helped to power new features including local upload, the global upload token, and new upcoming features. ##### Breaking Changes - The Codecov Action runs as a `node20` action due to `node16` deprecation. See [this post from GitHub](https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/) on how to migrate. - Tokenless uploading is unsupported. However, PRs made from forks to the upstream public repos will support tokenless (e.g. contributors to OS projects do not need the upstream repo's Codecov token). This [doc](https://docs.codecov.com/docs/adding-the-codecov-token#github-actions) shows instructions on how to add the Codecov token. - OS platforms have been added, though some may not be automatically detected. To see a list of platforms, see our [CLI download page](https://cli.codecov.io) - Various arguments to the Action have been changed. Please be aware that the arguments match with the CLI's needs `v3` versions and below will not have access to CLI features (e.g. global upload token, ATS). ##### What's Changed - build(deps): bump openpgp from 5.8.0 to 5.9.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/985](https://togithub.com/codecov/codecov-action/pull/985) - build(deps): bump actions/checkout from 3.0.0 to 3.5.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1000](https://togithub.com/codecov/codecov-action/pull/1000) - build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1006](https://togithub.com/codecov/codecov-action/pull/1006) - build(deps): bump tough-cookie from 4.0.0 to 4.1.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1013](https://togithub.com/codecov/codecov-action/pull/1013) - build(deps-dev): bump word-wrap from 1.2.3 to 1.2.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1024](https://togithub.com/codecov/codecov-action/pull/1024) - build(deps): bump node-fetch from 3.3.1 to 3.3.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1031](https://togithub.com/codecov/codecov-action/pull/1031) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.1.4 to 20.4.5 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1032](https://togithub.com/codecov/codecov-action/pull/1032) - build(deps): bump github/codeql-action from 1.0.26 to 2.21.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1033](https://togithub.com/codecov/codecov-action/pull/1033) - build commit,report and upload args based on codecovcli by [@​dana-yaish](https://togithub.com/dana-yaish) in [https://github.com/codecov/codecov-action/pull/943](https://togithub.com/codecov/codecov-action/pull/943) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.4.5 to 20.5.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1055](https://togithub.com/codecov/codecov-action/pull/1055) - build(deps): bump github/codeql-action from 2.21.2 to 2.21.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1051](https://togithub.com/codecov/codecov-action/pull/1051) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.5.3 to 20.5.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1058](https://togithub.com/codecov/codecov-action/pull/1058) - chore(deps): update outdated deps by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1059](https://togithub.com/codecov/codecov-action/pull/1059) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.5.4 to 20.5.6 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1060](https://togithub.com/codecov/codecov-action/pull/1060) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.4.1 to 6.5.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1065](https://togithub.com/codecov/codecov-action/pull/1065) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.4.1 to 6.5.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1064](https://togithub.com/codecov/codecov-action/pull/1064) - build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1063](https://togithub.com/codecov/codecov-action/pull/1063) - build(deps-dev): bump eslint from 8.47.0 to 8.48.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1061](https://togithub.com/codecov/codecov-action/pull/1061) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.5.6 to 20.5.7 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1062](https://togithub.com/codecov/codecov-action/pull/1062) - build(deps): bump openpgp from 5.9.0 to 5.10.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1066](https://togithub.com/codecov/codecov-action/pull/1066) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.5.7 to 20.5.9 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1070](https://togithub.com/codecov/codecov-action/pull/1070) - build(deps): bump github/codeql-action from 2.21.4 to 2.21.5 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1069](https://togithub.com/codecov/codecov-action/pull/1069) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.5.0 to 6.6.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1072](https://togithub.com/codecov/codecov-action/pull/1072) - Update README.md by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1073](https://togithub.com/codecov/codecov-action/pull/1073) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.5.0 to 6.6.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1071](https://togithub.com/codecov/codecov-action/pull/1071) - build(deps-dev): bump [@​vercel/ncc](https://togithub.com/vercel/ncc) from 0.36.1 to 0.38.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1074](https://togithub.com/codecov/codecov-action/pull/1074) - build(deps): bump [@​actions/core](https://togithub.com/actions/core) from 1.10.0 to 1.10.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1081](https://togithub.com/codecov/codecov-action/pull/1081) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.6.0 to 6.7.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1080](https://togithub.com/codecov/codecov-action/pull/1080) - build(deps): bump actions/checkout from 3.6.0 to 4.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1078](https://togithub.com/codecov/codecov-action/pull/1078) - build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1077](https://togithub.com/codecov/codecov-action/pull/1077) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.5.9 to 20.6.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1075](https://togithub.com/codecov/codecov-action/pull/1075) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.6.0 to 6.7.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1079](https://togithub.com/codecov/codecov-action/pull/1079) - build(deps-dev): bump eslint from 8.48.0 to 8.49.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1076](https://togithub.com/codecov/codecov-action/pull/1076) - use cli instead of node uploader by [@​dana-yaish](https://togithub.com/dana-yaish) in [https://github.com/codecov/codecov-action/pull/1068](https://togithub.com/codecov/codecov-action/pull/1068) - chore(release): 4.0.0-beta.1 by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1084](https://togithub.com/codecov/codecov-action/pull/1084) - not adding -n if empty to do-upload command by [@​dana-yaish](https://togithub.com/dana-yaish) in [https://github.com/codecov/codecov-action/pull/1085](https://togithub.com/codecov/codecov-action/pull/1085) - 4.0.0-beta.2 by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1086](https://togithub.com/codecov/codecov-action/pull/1086) - build(deps-dev): bump jest from 29.6.4 to 29.7.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1082](https://togithub.com/codecov/codecov-action/pull/1082) - build(deps-dev): bump [@​types/jest](https://togithub.com/types/jest) from 29.5.4 to 29.5.5 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1092](https://togithub.com/codecov/codecov-action/pull/1092) - build(deps): bump github/codeql-action from 2.21.5 to 2.21.7 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1094](https://togithub.com/codecov/codecov-action/pull/1094) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.6.0 to 20.6.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1093](https://togithub.com/codecov/codecov-action/pull/1093) - build(deps): bump openpgp from 5.10.1 to 5.10.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1096](https://togithub.com/codecov/codecov-action/pull/1096) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.7.0 to 6.7.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1095](https://togithub.com/codecov/codecov-action/pull/1095) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.6.2 to 20.6.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1098](https://togithub.com/codecov/codecov-action/pull/1098) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.7.0 to 6.7.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1097](https://togithub.com/codecov/codecov-action/pull/1097) - feat: add plugins by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1099](https://togithub.com/codecov/codecov-action/pull/1099) - build(deps-dev): bump eslint from 8.49.0 to 8.50.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1104](https://togithub.com/codecov/codecov-action/pull/1104) - build(deps): bump github/codeql-action from 2.21.7 to 2.21.8 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1102](https://togithub.com/codecov/codecov-action/pull/1102) - build(deps): bump actions/checkout from 4.0.0 to 4.1.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1101](https://togithub.com/codecov/codecov-action/pull/1101) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.7.2 to 6.7.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1108](https://togithub.com/codecov/codecov-action/pull/1108) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.6.3 to 20.7.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1107](https://togithub.com/codecov/codecov-action/pull/1107) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.7.2 to 6.7.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1106](https://togithub.com/codecov/codecov-action/pull/1106) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.7.0 to 20.7.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1111](https://togithub.com/codecov/codecov-action/pull/1111) - build(deps): bump github/codeql-action from 2.21.8 to 2.21.9 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1113](https://togithub.com/codecov/codecov-action/pull/1113) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.7.1 to 20.8.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1112](https://togithub.com/codecov/codecov-action/pull/1112) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.8.0 to 20.8.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1114](https://togithub.com/codecov/codecov-action/pull/1114) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.7.3 to 6.7.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1115](https://togithub.com/codecov/codecov-action/pull/1115) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.7.4 to 6.7.5 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1123](https://togithub.com/codecov/codecov-action/pull/1123) - build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1120](https://togithub.com/codecov/codecov-action/pull/1120) - build(deps): bump github/codeql-action from 2.21.9 to 2.22.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1119](https://togithub.com/codecov/codecov-action/pull/1119) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.7.3 to 6.7.5 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1122](https://togithub.com/codecov/codecov-action/pull/1122) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.8.2 to 20.8.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1121](https://togithub.com/codecov/codecov-action/pull/1121) - build(deps-dev): bump eslint from 8.50.0 to 8.51.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1117](https://togithub.com/codecov/codecov-action/pull/1117) - build(deps): bump [@​actions/github](https://togithub.com/actions/github) from 5.1.1 to 6.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1124](https://togithub.com/codecov/codecov-action/pull/1124) - build(deps): bump github/codeql-action from 2.22.0 to 2.22.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1127](https://togithub.com/codecov/codecov-action/pull/1127) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.8.4 to 20.8.6 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1126](https://togithub.com/codecov/codecov-action/pull/1126) - build(deps-dev): bump [@​babel/traverse](https://togithub.com/babel/traverse) from 7.22.11 to 7.23.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1129](https://togithub.com/codecov/codecov-action/pull/1129) - build(deps): bump undici from 5.25.4 to 5.26.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1128](https://togithub.com/codecov/codecov-action/pull/1128) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.7.5 to 6.8.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1130](https://togithub.com/codecov/codecov-action/pull/1130) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.7.5 to 6.8.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1131](https://togithub.com/codecov/codecov-action/pull/1131) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.8.6 to 20.8.7 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1135](https://togithub.com/codecov/codecov-action/pull/1135) - build(deps-dev): bump [@​vercel/ncc](https://togithub.com/vercel/ncc) from 0.38.0 to 0.38.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1136](https://togithub.com/codecov/codecov-action/pull/1136) - build(deps-dev): bump [@​types/jest](https://togithub.com/types/jest) from 29.5.5 to 29.5.6 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1137](https://togithub.com/codecov/codecov-action/pull/1137) - build(deps): bump github/codeql-action from 2.22.3 to 2.22.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1142](https://togithub.com/codecov/codecov-action/pull/1142) - build(deps): bump actions/checkout from 4.1.0 to 4.1.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1141](https://togithub.com/codecov/codecov-action/pull/1141) - build(deps-dev): bump eslint from 8.51.0 to 8.52.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1140](https://togithub.com/codecov/codecov-action/pull/1140) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.8.0 to 6.9.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1147](https://togithub.com/codecov/codecov-action/pull/1147) - build(deps-dev): bump [@​types/node](https://togithub.com/types/node) from 20.8.7 to 20.8.8 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1146](https://togithub.com/codecov/codecov-action/pull/1146) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.8.0 to 6.9.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1145](https://togithub.com/codecov/codecov-action/pull/1145) - chore(deps): move from node-fetch to undici by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1148](https://togithub.com/codecov/codecov-action/pull/1148) - build(deps): bump openpgp from 5.10.2 to 5.11.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1149](https://togithub.com/codecov/codecov-action/pull/1149) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.9.0 to 6.9.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1155](https://togithub.com/codecov/codecov-action/pull/1155) - build(deps): bump github/codeql-action from 2.22.4 to 2.22.5 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1152](https://togithub.com/codecov/codecov-action/pull/1152) - build(deps): bump ossf/scorecard-action from 2.3.0 to 2.3.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1151](https://togithub.com/codecov/codecov-action/pull/1151) - build(deps): bump undici from 5.26.5 to 5.27.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1150](https://togithub.com/codecov/codecov-action/pull/1150) - build(deps-dev): bump [@​types/jest](https://togithub.com/types/jest) from 29.5.6 to 29.5.7 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1153](https://togithub.com/codecov/codecov-action/pull/1153) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.9.0 to 6.9.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1154](https://togithub.com/codecov/codecov-action/pull/1154) - build(deps): bump undici from 5.27.0 to 5.27.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1157](https://togithub.com/codecov/codecov-action/pull/1157) - build(deps-dev): bump eslint from 8.52.0 to 8.53.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1156](https://togithub.com/codecov/codecov-action/pull/1156) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.9.1 to 6.10.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1159](https://togithub.com/codecov/codecov-action/pull/1159) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.9.1 to 6.10.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1158](https://togithub.com/codecov/codecov-action/pull/1158) - build(deps-dev): bump [@​types/jest](https://togithub.com/types/jest) from 29.5.7 to 29.5.8 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1161](https://togithub.com/codecov/codecov-action/pull/1161) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.10.0 to 6.11.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1164](https://togithub.com/codecov/codecov-action/pull/1164) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.10.0 to 6.11.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1163](https://togithub.com/codecov/codecov-action/pull/1163) - build(deps): bump github/codeql-action from 2.22.5 to 2.22.7 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1167](https://togithub.com/codecov/codecov-action/pull/1167) - build(deps-dev): bump eslint from 8.53.0 to 8.54.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1166](https://togithub.com/codecov/codecov-action/pull/1166) - build(deps-dev): bump [@​types/jest](https://togithub.com/types/jest) from 29.5.8 to 29.5.9 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1172](https://togithub.com/codecov/codecov-action/pull/1172) - build(deps-dev): bump typescript from 5.2.2 to 5.3.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1171](https://togithub.com/codecov/codecov-action/pull/1171) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.11.0 to 6.12.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1170](https://togithub.com/codecov/codecov-action/pull/1170) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.11.0 to 6.12.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1169](https://togithub.com/codecov/codecov-action/pull/1169) - build(deps): bump github/codeql-action from 2.22.7 to 2.22.8 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1175](https://togithub.com/codecov/codecov-action/pull/1175) - build(deps): bump undici from 5.27.2 to 5.28.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1174](https://togithub.com/codecov/codecov-action/pull/1174) - build(deps-dev): bump [@​types/jest](https://togithub.com/types/jest) from 29.5.9 to 29.5.10 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1173](https://togithub.com/codecov/codecov-action/pull/1173) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.12.0 to 6.13.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1178](https://togithub.com/codecov/codecov-action/pull/1178) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.12.0 to 6.13.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1180](https://togithub.com/codecov/codecov-action/pull/1180) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.13.0 to 6.13.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1181](https://togithub.com/codecov/codecov-action/pull/1181) - build(deps): bump undici from 5.28.0 to 5.28.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1179](https://togithub.com/codecov/codecov-action/pull/1179) - build(deps-dev): bump eslint from 8.54.0 to 8.55.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1183](https://togithub.com/codecov/codecov-action/pull/1183) - build(deps): bump undici from 5.28.1 to 5.28.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1182](https://togithub.com/codecov/codecov-action/pull/1182) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.13.1 to 6.13.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1185](https://togithub.com/codecov/codecov-action/pull/1185) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.13.1 to 6.13.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1184](https://togithub.com/codecov/codecov-action/pull/1184) - build(deps-dev): bump [@​types/jest](https://togithub.com/types/jest) from 29.5.10 to 29.5.11 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1187](https://togithub.com/codecov/codecov-action/pull/1187) - build(deps): bump undici from 5.28.2 to 6.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1186](https://togithub.com/codecov/codecov-action/pull/1186) - build(deps-dev): bump typescript from 5.3.2 to 5.3.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1189](https://togithub.com/codecov/codecov-action/pull/1189) - build(deps): bump undici from 6.0.0 to 6.0.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1188](https://togithub.com/codecov/codecov-action/pull/1188) - build(deps): bump github/codeql-action from 2.22.8 to 2.22.9 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1191](https://togithub.com/codecov/codecov-action/pull/1191) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.13.2 to 6.14.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1193](https://togithub.com/codecov/codecov-action/pull/1193) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.13.2 to 6.14.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1192](https://togithub.com/codecov/codecov-action/pull/1192) - build(deps-dev): bump eslint from 8.55.0 to 8.56.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1194](https://togithub.com/codecov/codecov-action/pull/1194) - build(deps): bump github/codeql-action from 2.22.9 to 3.22.11 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1195](https://togithub.com/codecov/codecov-action/pull/1195) - build(deps): bump actions/upload-artifact from 3.1.3 to 4.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1196](https://togithub.com/codecov/codecov-action/pull/1196) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.14.0 to 6.15.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1198](https://togithub.com/codecov/codecov-action/pull/1198) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.14.0 to 6.15.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1197](https://togithub.com/codecov/codecov-action/pull/1197) - build(deps): bump undici from 6.0.1 to 6.2.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1199](https://togithub.com/codecov/codecov-action/pull/1199) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.15.0 to 6.17.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1206](https://togithub.com/codecov/codecov-action/pull/1206) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.15.0 to 6.17.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1205](https://togithub.com/codecov/codecov-action/pull/1205) - build(deps): bump undici from 6.2.0 to 6.2.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1201](https://togithub.com/codecov/codecov-action/pull/1201) - build(deps): bump github/codeql-action from 3.22.11 to 3.22.12 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1200](https://togithub.com/codecov/codecov-action/pull/1200) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.17.0 to 6.18.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1208](https://togithub.com/codecov/codecov-action/pull/1208) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.17.0 to 6.18.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1207](https://togithub.com/codecov/codecov-action/pull/1207) - build(deps): bump undici from 6.2.1 to 6.3.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1211](https://togithub.com/codecov/codecov-action/pull/1211) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.18.0 to 6.18.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1210](https://togithub.com/codecov/codecov-action/pull/1210) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.18.0 to 6.18.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1209](https://togithub.com/codecov/codecov-action/pull/1209) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.18.1 to 6.19.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1215](https://togithub.com/codecov/codecov-action/pull/1215) - build(deps): bump github/codeql-action from 3.22.12 to 3.23.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1213](https://togithub.com/codecov/codecov-action/pull/1213) - build(deps): bump actions/upload-artifact from 4.0.0 to 4.1.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1212](https://togithub.com/codecov/codecov-action/pull/1212) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.18.1 to 6.19.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1214](https://togithub.com/codecov/codecov-action/pull/1214) - fix: downgrade undici as it has a breaking change by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1219](https://togithub.com/codecov/codecov-action/pull/1219) - fix: remove openpgp dep due to licensing and use gpg by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1218](https://togithub.com/codecov/codecov-action/pull/1218) - chore(ci): add fossa workflow by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1216](https://togithub.com/codecov/codecov-action/pull/1216) - build(deps): bump actions/upload-artifact from 4.1.0 to 4.2.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1222](https://togithub.com/codecov/codecov-action/pull/1222) - build(deps): bump github/codeql-action from 3.23.0 to 3.23.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1221](https://togithub.com/codecov/codecov-action/pull/1221) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.19.0 to 6.19.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1225](https://togithub.com/codecov/codecov-action/pull/1225) - build(deps-dev): bump ts-jest from 29.1.1 to 29.1.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1224](https://togithub.com/codecov/codecov-action/pull/1224) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.19.0 to 6.19.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1223](https://togithub.com/codecov/codecov-action/pull/1223) - build(deps): bump actions/upload-artifact from 4.2.0 to 4.3.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1232](https://togithub.com/codecov/codecov-action/pull/1232) - build(deps): bump github/codeql-action from 3.23.1 to 3.23.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1231](https://togithub.com/codecov/codecov-action/pull/1231) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.19.1 to 6.20.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1235](https://togithub.com/codecov/codecov-action/pull/1235) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.19.1 to 6.20.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/codecov/codecov-action/pull/1234](https://togithub.com/codecov/codecov-action/pull/1234) - chore(ci): bump to node20 by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1236](https://togithub.com/codecov/codecov-action/pull/1236) - Update README.md by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1237](https://togithub.com/codecov/codecov-action/pull/1237) - Update package.json by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1238](https://togithub.com/codecov/codecov-action/pull/1238) - fix: allow for other archs by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1239](https://togithub.com/codecov/codecov-action/pull/1239) - fix: update action.yml by [@​thomasrockhu-codecov](https://togithub.com/thomasrockhu-codecov) in [https://github.com/codecov/codecov-action/pull/1240](https://togithub.com/codecov/codecov-action/pull/1240) ##### New Contributors - [@​dana-yaish](https://togithub.com/dana-yaish) made their first contribution in [https://github.com/codecov/codecov-action/pull/943](https://togithub.com/codecov/codecov-action/pull/943) **Full Changelog**: https://github.com/codecov/codecov-action/compare/v3.1.6...v4.0.0 </details> <details> <summary>golangci/golangci-lint-action (golangci/golangci-lint-action)</summary> ### [`v4.0.0`](https://togithub.com/golangci/golangci-lint-action/releases/tag/v4.0.0) [Compare Source](https://togithub.com/golangci/golangci-lint-action/compare/v3.7.1...v4.0.0) <!-- Release notes generated using configuration in .github/release.yml at v4.0.0 --> #### What's Changed ##### Documentation - docs: update examples by [@​KunalSin9h](https://togithub.com/KunalSin9h) in [https://github.com/golangci/golangci-lint-action/pull/826](https://togithub.com/golangci/golangci-lint-action/pull/826) - docs: update section about GitHub Annotations by [@​JustinDFuller](https://togithub.com/JustinDFuller) in [https://github.com/golangci/golangci-lint-action/pull/931](https://togithub.com/golangci/golangci-lint-action/pull/931) ##### Dependencies - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.3.0 to 6.4.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/829](https://togithub.com/golangci/golangci-lint-action/pull/829) - build(deps-dev): bump eslint-plugin-import from 2.28.0 to 2.28.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/830](https://togithub.com/golangci/golangci-lint-action/pull/830) - build(deps): bump [@​types/node](https://togithub.com/types/node) from 20.5.0 to 20.5.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/827](https://togithub.com/golangci/golangci-lint-action/pull/827) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.3.0 to 6.4.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/831](https://togithub.com/golangci/golangci-lint-action/pull/831) - build(deps-dev): bump prettier from 3.0.1 to 3.0.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/828](https://togithub.com/golangci/golangci-lint-action/pull/828) - build(deps): bump [@​types/node](https://togithub.com/types/node) from 20.5.1 to 20.5.7 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/833](https://togithub.com/golangci/golangci-lint-action/pull/833) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.4.0 to 6.4.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/834](https://togithub.com/golangci/golangci-lint-action/pull/834) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.4.0 to 6.4.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/835](https://togithub.com/golangci/golangci-lint-action/pull/835) - build(deps-dev): bump eslint from 8.47.0 to 8.48.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/837](https://togithub.com/golangci/golangci-lint-action/pull/837) - build(deps-dev): bump typescript from 5.1.6 to 5.2.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/836](https://togithub.com/golangci/golangci-lint-action/pull/836) - build(deps): bump [@​types/semver](https://togithub.com/types/semver) from 7.5.0 to 7.5.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/838](https://togithub.com/golangci/golangci-lint-action/pull/838) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.4.1 to 6.5.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/839](https://togithub.com/golangci/golangci-lint-action/pull/839) - build(deps-dev): bump prettier from 3.0.2 to 3.0.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/842](https://togithub.com/golangci/golangci-lint-action/pull/842) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.4.1 to 6.5.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/840](https://togithub.com/golangci/golangci-lint-action/pull/840) - build(deps): bump [@​types/node](https://togithub.com/types/node) from 20.5.7 to 20.5.9 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/841](https://togithub.com/golangci/golangci-lint-action/pull/841) - chore: bump to use node20 runtime, actions/checkout to v4 by [@​chenrui333](https://togithub.com/chenrui333) in [https://github.com/golangci/golangci-lint-action/pull/843](https://togithub.com/golangci/golangci-lint-action/pull/843) - build(deps): bump actions/checkout from 3 to 4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/845](https://togithub.com/golangci/golangci-lint-action/pull/845) - build(deps-dev): bump eslint from 8.48.0 to 8.49.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/846](https://togithub.com/golangci/golangci-lint-action/pull/846) - build(deps): bump [@​types/node](https://togithub.com/types/node) from 20.5.9 to 20.6.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/847](https://togithub.com/golangci/golangci-lint-action/pull/847) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.5.0 to 6.6.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/848](https://togithub.com/golangci/golangci-lint-action/pull/848) - build(deps-dev): bump [@​vercel/ncc](https://togithub.com/vercel/ncc) from 0.36.1 to 0.38.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/850](https://togithub.com/golangci/golangci-lint-action/pull/850) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.5.0 to 6.6.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/849](https://togithub.com/golangci/golangci-lint-action/pull/849) - build(deps): bump [@​types/semver](https://togithub.com/types/semver) from 7.5.1 to 7.5.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/853](https://togithub.com/golangci/golangci-lint-action/pull/853) - build(deps): bump [@​types/tmp](https://togithub.com/types/tmp) from 0.2.3 to 0.2.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/854](https://togithub.com/golangci/golangci-lint-action/pull/854) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.6.0 to 6.7.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/855](https://togithub.com/golangci/golangci-lint-action/pull/855) - build(deps): bump [@​types/node](https://togithub.com/types/node) from 20.6.0 to 20.6.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/857](https://togithub.com/golangci/golangci-lint-action/pull/857) - build(deps): bump [@​actions/core](https://togithub.com/actions/core) from 1.10.0 to 1.10.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/856](https://togithub.com/golangci/golangci-lint-action/pull/856) - build(deps-dev): bump eslint from 8.49.0 to 8.50.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/859](https://togithub.com/golangci/golangci-lint-action/pull/859) - build(deps): bump [@​types/node](https://togithub.com/types/node) from 20.6.2 to 20.6.5 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/860](https://togithub.com/golangci/golangci-lint-action/pull/860) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.6.0 to 6.7.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/861](https://togithub.com/golangci/golangci-lint-action/pull/861) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.7.0 to 6.7.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/862](https://togithub.com/golangci/golangci-lint-action/pull/862) - build(deps): bump [@​types/semver](https://togithub.com/types/semver) from 7.5.2 to 7.5.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/864](https://togithub.com/golangci/golangci-lint-action/pull/864) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.7.2 to 6.7.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/865](https://togithub.com/golangci/golangci-lint-action/pull/865) - build(deps): bump [@​types/node](https://togithub.com/types/node) from 20.6.5 to 20.8.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/867](https://togithub.com/golangci/golangci-lint-action/pull/867) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.7.2 to 6.7.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/866](https://togithub.com/golangci/golangci-lint-action/pull/866) - build(deps-dev): bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.7.3 to 6.7.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/868](https://togithub.com/golangci/golangci-lint-action/pull/868) - build(deps): bump [@​types/node](https://togithub.com/types/node) from 20.8.0 to 20.8.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/869](https://togithub.com/golangci/golangci-lint-action/pull/869) - build(deps-dev): bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.7.3 to 6.7.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/870](https://togithub.com/golangci/golangci-lint-action/pull/870) - build(deps-dev): bump eslint from 8.50.0 to 8.51.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/golangci/gola </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIxMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github-pages](https://togithub.com/github/pages-gem) | `"~> 230"` -> `"~> 231"` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>github/pages-gem (github-pages)</summary> ### [`v231`](https://togithub.com/github/pages-gem/releases/tag/v231) [Compare Source](https://togithub.com/github/pages-gem/compare/v230...v231) #### What's Changed - Revert jekyll-relative-links to 0.6.1 and add a test by [@​yoannchaudet](https://togithub.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/910](https://togithub.com/github/pages-gem/pull/910) **Full Changelog**: github/pages-gem@v230...v231 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMTIuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIxMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
… requirements (#823) Maven original requirements are used to look up if the original requirement contains a property or not, so we don't need all original requirements but only the ones with properties.
This PR adds a simple Maven registry API client which sends requests to Maven Central Repository. For now, this client can only be used to fetch a Maven project. We are able to extend the client to fetch other data (versions, dependencies, etc) in the future.
- Addresses issue #495. - I'm happy to add tests for the `MaxSeverity` function if this is required for this issue. --------- Signed-off-by: Omri Bornstein <[email protected]>
We've already got this duplicated in two places, and I have need for it in an upcoming PR and @robramsaynz should be using it in #797 so let's move this into `testutility`
Updated version of #397. > this seems to be an upstream issue in go-git, and i'll prepare a PR for them soon, but for now this copies in the affected function and fixes it by checking the accumulated patterns while walking the fs looking for gitignore files > > fixes: #389 - is located github.com/**ackama**/osv-scanner, rather than github.com/**robotdana**/osv-scanner - has tests - has extra changes to handle #397 (comment) (handles mid-tree dirs, handles non-git dirs, handles recursive flag) --------- Co-authored-by: Dana Sherson <[email protected]> Co-authored-by: Rex P <[email protected]> Co-authored-by: Gareth Jones <[email protected]>
…t` (#786) I was having a look at the openssf scorecard score as I've not really dug into that before, and saw it was flagging some unpinned actions. Most of them were about the `osv-scanner` action itself which I don't think can be pinned since the point is to use the latest version for self testing right? but we can pin `actions/download-artifact` and `actions/setup-go` _though_ I'm pretty sure that isn't needed anymore because it was a workaround for github/codeql#13992 and we were just waiting on a new version? either way we'll find out.
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---|---|---| | [deps.dev/api/v3alpha](https://togithub.com/google/deps.dev) | require | digest | `1729b62` -> `3ec708c` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/maven](https://togithub.com/google/deps.dev) | require | digest | `1729b62` -> `3ec708c` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/resolve](https://togithub.com/google/deps.dev) | require | digest | `1729b62` -> `3ec708c` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [deps.dev/util/semver](https://togithub.com/google/deps.dev) | require | digest | `1729b62` -> `3ec708c` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/exp | require | digest | `ec58324` -> `814bf88` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/mod | require | minor | `v0.15.0` -> `v0.16.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/term | require | minor | `v0.17.0` -> `v0.18.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [google.golang.org/grpc](https://togithub.com/grpc/grpc-go) | require | minor | `v1.61.1` -> `v1.62.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.62.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.62.0): Release 1.62.0 [Compare Source](https://togithub.com/grpc/grpc-go/compare/v1.61.1...v1.62.0) ### New Features - grpc: Add StaticMethod CallOption as a signal to stats handler that a method is safe to use as an instrument key ([#​6986](https://togithub.com/grpc/grpc-go/issues/6986)) ### Behavior Changes - grpc: Return canonical target string from ClientConn.Target() and resolver.Address.String() ([#​6923](https://togithub.com/grpc/grpc-go/issues/6923)) ### Bug Fixes - server: wait to close connection until incoming socket is drained (with timeout) to prevent data loss on client-side ([#​6977](https://togithub.com/grpc/grpc-go/issues/6977)) - Special Thanks: [@​s-matyukevich](https://togithub.com/s-matyukevich) for discovering the root cause ### Performance Improvements - \*: Allow building without `x/net/trace` by using `grpcnotrace` to enable dead code elimination ([#​6954](https://togithub.com/grpc/grpc-go/issues/6954)) - Special Thanks: [@​hugelgupf](https://togithub.com/hugelgupf) - rand: improve performance and simplify implementation of `grpcrand` by adopting `math/rand`'s top-level functions for go version 1.21.0 and newer. ([#​6925](https://togithub.com/grpc/grpc-go/issues/6925)) - Special Thanks: [@​kmirzavaziri](https://togithub.com/kmirzavaziri) ### Dependencies - \*: Use google.golang.org/protobuf/proto instead of github.com/golang/protobuf. ([#​6919](https://togithub.com/grpc/grpc-go/issues/6919)) - Special Thanks: [@​Clement-Jean](https://togithub.com/Clement-Jean) > \[!NOTE] > The above change in proto library usage introduces a minor behavior change within those libraries. The old `github.com/golang/protobuf` library would error if given a `nil` message to `Marshal`, while the new `google.golang.org/protobuf` library will successfully output zero bytes in this case. This means server method handlers that did `return nil, nil` will now return an empty message and no error, while it used to return an error. This also affects the client side, where clients sending `nil` messages used to fail without sending the RPC, and now they will send an empty message. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOTEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIyMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
[](https://renovatebot.com) This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMTIuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIxMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
When doing #832 I leaned `t.Cleanup` is a thing so let's use that instead here
Link: https://michaelkedar.github.io/osv-scanner/experimental/guided-remediation/ Doc page for guided remediation. Will appreciate feedback if things aren't clear or if something's missing. #352
…840) Counting and grouping of vulnerabilities are different in `fix`. Document this. [preview link](https://michaelkedar.github.io/osv-scanner/experimental/guided-remediation/#known-issues)
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/download-artifact](https://togithub.com/actions/download-artifact) | action | patch | `v4.1.1` -> `v4.1.4` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v3.24.5` -> `v3.24.6` | --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.1.4`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.4) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.3...v4.1.4) ##### What's Changed - Update [@​actions/artifact](https://togithub.com/actions/artifact) by [@​bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/307](https://togithub.com/actions/download-artifact/pull/307) **Full Changelog**: actions/download-artifact@v4...v4.1.4 ### [`v4.1.3`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.3) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.2...v4.1.3) ##### What's Changed - Update release-new-action-version.yml by [@​konradpabjan](https://togithub.com/konradpabjan) in [https://github.com/actions/download-artifact/pull/292](https://togithub.com/actions/download-artifact/pull/292) - Update toolkit dependency with updated unzip logic by [@​bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/299](https://togithub.com/actions/download-artifact/pull/299) - Update [@​actions/artifact](https://togithub.com/actions/artifact) by [@​bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/303](https://togithub.com/actions/download-artifact/pull/303) ##### New Contributors - [@​bethanyj28](https://togithub.com/bethanyj28) made their first contribution in [https://github.com/actions/download-artifact/pull/299](https://togithub.com/actions/download-artifact/pull/299) **Full Changelog**: actions/download-artifact@v4...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.2) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.1...v4.1.2) - Bump [@​actions/artifacts](https://togithub.com/actions/artifacts) to latest version to include [updated GHES host check](https://togithub.com/actions/toolkit/pull/1648) </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.24.6`](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMjAuMiIsInVwZGF0ZWRJblZlciI6IjM3LjIyMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
It was accidentally updated to 1.22.0 with renovatebot 2 weeks ago. We need a way to prevent this from happening.
Update dependencies to resolve vulnerability https://osv.dev/vulnerability/GO-2024-2611
This PR addresses #817 (comment). Package `relaxer` is renamed to `relax` and package `suggester` is renamed to `suggest`. The getter and options are also renamed to avoid duplicates in their names.
Replace stereoscope with using the lower level go-containerregistry library directly. Stereoscope brings in a large list of dependencies to support functions that is not necessary for osv-scanner. This also gives us more low level control of the extraction and scanning. It's possible to switch to a new fs.FS lockfile interface without too much work.
To release version 1.7.0 --------- Signed-off-by: Hayley Denbraver <[email protected]> Co-authored-by: Hayley Denbraver <[email protected]> Co-authored-by: josieang <[email protected]> Co-authored-by: Giovanni Bozzano <[email protected]> Co-authored-by: Rex P <[email protected]> Co-authored-by: Gareth Jones <[email protected]> Co-authored-by: Mend Renovate <[email protected]> Co-authored-by: Jahan Chaware <[email protected]> Co-authored-by: Holly Gong <[email protected]> Co-authored-by: Rex P <[email protected]>
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
1 similar comment
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
](https://renovatebot.com){kind=link}
another-rex
approved these changes
Mar 6, 2024
michaelkedar
approved these changes
Mar 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.