Conversation
Bumps the npm_and_yarn group with 1 update in the / directory: [lodash-es](https://github.com/lodash/lodash). Updates `lodash-es` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash-es dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the npm_and_yarn group with 1 update in the / directory: [webpack](https://github.com/webpack/webpack). Updates `webpack` from 5.97.1 to 5.105.3 - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.97.1...v5.105.3) --- updated-dependencies: - dependency-name: webpack dependency-version: 5.105.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
Add a security policy document outlining supported versions and vulnerability reporting. Signed-off-by: KalCola <colacal43@gmail.com>
This workflow triggers APIsec scans for the project on push, pull request, or scheduled events, and uploads the results in SARIF format. Signed-off-by: KalCola <colacal43@gmail.com>
This workflow integrates EthicalCheck for automated API security testing, including steps for running tests and uploading results. Signed-off-by: KalCola <colacal43@gmail.com>
This workflow automates mobile security scanning using MobSF on pushes and pull requests to the main branch, as well as on a scheduled basis. Signed-off-by: KalCola <colacal43@gmail.com>
This workflow scans dependency manifest files for known vulnerabilities in pull requests and blocks merging if vulnerable packages are detected. Signed-off-by: KalCola <colacal43@gmail.com>
…rn-1516ec8d75 chore(deps): bump webpack from 5.97.1 to 5.105.3 in the npm_and_yarn group across 1 directory
Bumps the npm_and_yarn group with 1 update in the / directory: [qs](https://github.com/ljharb/qs). Updates `qs` from 6.13.0 to 6.14.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.13.0...v6.14.2) --- updated-dependencies: - dependency-name: qs dependency-version: 6.14.2 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the npm_and_yarn group with 1 update in the / directory: [ajv](https://github.com/ajv-validator/ajv). Updates `ajv` from 6.12.6 to 6.14.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.6...v6.14.0) --- updated-dependencies: - dependency-name: ajv dependency-version: 6.14.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: KalCola <colacal43@gmail.com>
…rn-14dc0ebc5a chore(deps): bump qs from 6.13.0 to 6.14.2 in the npm_and_yarn group across 1 directory
…rn-f1bf2b0a19 chore(deps): bump ajv from 6.12.6 to 6.14.0 in the npm_and_yarn group across 1 directory
…rn-ab4d8f00f8 chore(deps): bump lodash-es from 4.17.21 to 4.17.23 in the npm_and_yarn group across 1 directory
…pdates Bumps the npm_and_yarn group with 12 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) | `7.26.7` | `7.28.6` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.11` | `1.1.12` | | [estree-util-value-to-estree](https://github.com/remcohaszing/estree-util-value-to-estree) | `3.3.2` | `3.5.0` | | [qs](https://github.com/ljharb/qs) | `6.13.0` | `6.14.2` | | [js-yaml](https://github.com/nodeca/js-yaml) | `3.14.1` | `3.14.2` | | [http-proxy-middleware](https://github.com/chimurai/http-proxy-middleware) | `2.0.7` | `2.0.9` | | [image-size](https://github.com/image-size/image-size) | `1.2.0` | `1.2.1` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | | [mdast-util-to-hast](https://github.com/syntax-tree/mdast-util-to-hast) | `13.2.0` | `13.2.1` | | [node-forge](https://github.com/digitalbazaar/forge) | `1.3.1` | `1.3.3` | | [on-headers](https://github.com/jshttp/on-headers) | `1.0.2` | `1.1.0` | | [prismjs](https://github.com/PrismJS/prism) | `1.29.0` | `1.30.0` | Updates `@babel/helpers` from 7.26.7 to 7.28.6 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.28.6/packages/babel-helpers) Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) Updates `estree-util-value-to-estree` from 3.3.2 to 3.5.0 - [Release notes](https://github.com/remcohaszing/estree-util-value-to-estree/releases) - [Commits](remcohaszing/estree-util-value-to-estree@v3.3.2...v3.5.0) Updates `qs` from 6.13.0 to 6.14.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.13.0...v6.14.2) Updates `js-yaml` from 3.14.1 to 3.14.2 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@3.14.1...3.14.2) Updates `http-proxy-middleware` from 2.0.7 to 2.0.9 - [Release notes](https://github.com/chimurai/http-proxy-middleware/releases) - [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/v2.0.9/CHANGELOG.md) - [Commits](chimurai/http-proxy-middleware@v2.0.7...v2.0.9) Updates `image-size` from 1.2.0 to 1.2.1 - [Release notes](https://github.com/image-size/image-size/releases) - [Commits](image-size/image-size@v1.2.0...v1.2.1) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `mdast-util-to-hast` from 13.2.0 to 13.2.1 - [Release notes](https://github.com/syntax-tree/mdast-util-to-hast/releases) - [Commits](syntax-tree/mdast-util-to-hast@13.2.0...13.2.1) Updates `node-forge` from 1.3.1 to 1.3.3 - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.1...v1.3.3) Updates `on-headers` from 1.0.2 to 1.1.0 - [Release notes](https://github.com/jshttp/on-headers/releases) - [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md) - [Commits](jshttp/on-headers@v1.0.2...v1.1.0) Updates `prismjs` from 1.29.0 to 1.30.0 - [Release notes](https://github.com/PrismJS/prism/releases) - [Changelog](https://github.com/PrismJS/prism/blob/v2/CHANGELOG.md) - [Commits](PrismJS/prism@v1.29.0...v1.30.0) --- updated-dependencies: - dependency-name: "@babel/helpers" dependency-version: 7.28.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: estree-util-value-to-estree dependency-version: 3.5.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.14.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: http-proxy-middleware dependency-version: 2.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: image-size dependency-version: 1.2.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: mdast-util-to-hast dependency-version: 13.2.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: node-forge dependency-version: 1.3.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: on-headers dependency-version: 1.1.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: prismjs dependency-version: 1.30.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
…rn-4ae71e3962 chore(deps): bump the npm_and_yarn group across 1 directory with 12 updates
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: KalCola <colacal43@gmail.com>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request focuses on enhancing the project's foundational health by introducing a formal security policy and performing a large-scale update of its npm dependencies. The dependency refresh aims to leverage the latest features, bug fixes, and security patches from various libraries, thereby modernizing the codebase and mitigating risks associated with outdated packages. This ensures the project remains robust, secure, and aligned with current development standards. Highlights
Changelog
Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds a SECURITY.md file and updates project dependencies. The new security policy file is a good addition, but it currently contains placeholder text from a template. It's important to fill this out with your project's specific details for supported versions and the vulnerability reporting process to ensure users and contributors have clear guidance.
| Use this section to tell people about which versions of your project are | ||
| currently being supported with security updates. | ||
|
|
||
| | Version | Supported | | ||
| | ------- | ------------------ | | ||
| | 5.1.x | :white_check_mark: | | ||
| | 5.0.x | :x: | | ||
| | 4.0.x | :white_check_mark: | | ||
| | < 4.0 | :x: | |
There was a problem hiding this comment.
The 'Supported Versions' section contains placeholder text and example versions. Please update this section to reflect the actual versions of your project that are currently supported with security updates. This is crucial for users to know which versions are safe to use.
| Use this section to tell people how to report a vulnerability. | ||
|
|
||
| Tell them where to go, how often they can expect to get an update on a | ||
| reported vulnerability, what to expect if the vulnerability is accepted or | ||
| declined, etc. |
There was a problem hiding this comment.
The 'Reporting a Vulnerability' section contains placeholder instructions. It's important to provide clear guidelines for users on how to report security vulnerabilities. Please replace the placeholder text with your project's specific reporting process, including contact details, expected response timelines, and what to expect after a report is made.
This workflow sets up a CI process for Node.js applications, including installation of dependencies, building the code, and running tests across multiple Node.js versions. Signed-off-by: KalCola <colacal43@gmail.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Signed-off-by: KalCola <colacal43@gmail.com>
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: KalCola <colacal43@gmail.com>
Signed-off-by: KalCola <colacal43@gmail.com>
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: KalCola <colacal43@gmail.com>
Signed-off-by: KalCola <colacal43@gmail.com>
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| - run: npm ci | ||
| - run: npm test | ||
|
|
||
| publish-gpr: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 14 hours ago
In general, the fix is to define an explicit permissions block that restricts the GITHUB_TOKEN for the build job (or globally at the workflow root) to the minimal privileges needed. Since build only checks out the code, sets up Node, installs dependencies, and runs tests, it should only require read access to the repository contents.
The safest, least-invasive fix that preserves current behavior is to add permissions: contents: read specifically to the build job. This mirrors the minimal starting point suggested by CodeQL, avoids altering the already-correct permissions on the publish-gpr job, and does not change any steps or their behavior. Concretely, in .github/workflows/npm-publish-github-packages.yml, under jobs.build and alongside runs-on: ubuntu-latest, add a permissions block with contents: read.
No new methods, imports, or external definitions are required, as this is purely a YAML workflow configuration change.
| @@ -10,6 +10,8 @@ | ||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 |
Signed-off-by: KalCola <colacal43@gmail.com>
1 participant
No description provided.