Skip to content

⬆️ Updates semantic-release to v19 [SECURITY]#489

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-semantic-release-vulnerability
Open

⬆️ Updates semantic-release to v19 [SECURITY]#489
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-semantic-release-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 28, 2023

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
semantic-release 17.4.219.0.3 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Exposure of Sensitive Information to an Unauthorized Actor in semantic-release

CVE-2022-31051 / GHSA-x2pg-mjhr-2m5x

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials.

Patches

Has the problem been patched? What versions should users upgrade to?

Fixed in 19.0.3

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Secrets that do not contain characters that are excluded from encoding with encodeURI when included in a URL are already masked properly.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 4.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

semantic-release/semantic-release (semantic-release)

v19.0.3

Compare Source

Bug Fixes
  • log-repo: use the original form of the repo url to remove the need to mask credentials (#​2459) (58a226f), closes #​2449

v19.0.2

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the stable version (0eca144)

v19.0.1

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the latest beta version (8097afb)

v19.0.0

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the beta, which upgrades npm to v8 (f634b8c)
  • upgrade marked to resolve ReDos vulnerability (#​2330) (d9e5bc0)
BREAKING CHANGES
  • npm-plugin: @semantic-release/npm has also dropped support for node v15
  • node v15 has been removed from our defined supported versions of node. this was done to upgrade to compatible versions of marked and marked-terminal that resolved the ReDoS vulnerability. removal of support of this node version should be low since it was not an LTS version and has been EOL for several months already.

v18.0.1

Compare Source

Bug Fixes

v18.0.0

Compare Source

This is a maintenance release. An increasing amount of dependencies required a node version higher than the Node 10 version supported by semantic-release@17. We decided to go straight to a recent Node LTS version because the release build is usually independent of others, requiring a higher node version is less disruptive to users, but helps us reduce the maintenance overhead.

If you use GitHub Actions and need to bump the node version set up by actions/node-setup, you can use octoherd-script-bump-node-version-in-workflows

BREAKING CHANGES

node-version: the minimum required version of node is now v14.17

v17.4.7

Compare Source

Bug Fixes
  • engines: fixed defined node version to account for the higher requirement from the npm plugin (#​2088) (ea52e17)

v17.4.6

Compare Source

Bug Fixes

v17.4.5

Compare Source

Bug Fixes
  • deps: update dependency marked to v3 (6e4beb8)

v17.4.4

Compare Source

Bug Fixes

v17.4.3

Compare Source

Bug Fixes
  • bump minimal version of lodash to address CVE-2021-23337 (#​1931) (55194c1)

Configuration

📅 Schedule: (in timezone Europe/Moscow)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@changelogg

changelogg Bot commented May 28, 2023

Copy link
Copy Markdown

Hey! Changelogs info seems to be missing or might be in incorrect format.
Please use the below template in PR description to ensure Changelogg can detect your changes:
- (tag) changelog_text
or
- tag: changelog_text
OR
You can add tag in PR header or while doing a commit too
(tag) PR header
or
tag: PR header
Valid tags: added / feat, changed, deprecated, fixed / fix, removed, security, build, ci, chore, docs, perf, refactor, revert, style, test
Thanks!
For more info, check out changelogg docs

@viezly

viezly Bot commented May 28, 2023

Copy link
Copy Markdown

Pull request by bot. No need to analyze

@auto-assign
auto-assign Bot requested a review from AlexRogalskiy May 28, 2023 21:49
@socket-security

socket-security Bot commented May 28, 2023

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @pnpm/network.ca-file is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/semantic-release@19.0.3npm/@pnpm/network.ca-file@1.0.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@pnpm/network.ca-file@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@github-actions

Copy link
Copy Markdown

Thanks for the PR!

This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.

@github-actions

Copy link
Copy Markdown

Thanks for opening an issue! Make sure you've followed CONTRIBUTING.md.

@github-actions

Copy link
Copy Markdown

Hello from PR Helper

Is your PR ready for review and processing? Mark the PR ready by including #pr-ready in a comment.

If you still have work to do, even after marking this ready. Put the PR on hold by including #pr-onhold in a comment.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scan Summary

Tool Critical High Medium Low Status
Dependency Scan (universal) 2 20 5 0
Security Audit for Infrastructure 0 0 0 3

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 78a107d to 5f2c3ec Compare January 24, 2025 11:34
@socket-security

socket-security Bot commented Jan 24, 2025

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedsemantic-release@​17.4.2 ⏵ 19.0.397 +1100 +210095 +5100

View full report

@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 5f2c3ec to 37b290b Compare March 5, 2025 23:58

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scan Summary

Tool Critical High Medium Low Status
Dependency Scan (universal) 2 21 5 0
Security Audit for Infrastructure 0 0 0 3

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 37b290b to 7a17e6e Compare May 24, 2025 03:53
@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 7a17e6e to 0827340 Compare August 11, 2025 19:59
@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 0827340 to ce5f331 Compare August 23, 2025 07:14

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scan Summary

Tool Critical High Medium Low Status
Security Audit for Infrastructure 0 0 0 3

Recommendation

Looks good ✔️

@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from ce5f331 to f848b4b Compare September 27, 2025 02:55
@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from f848b4b to 947a2ec Compare January 1, 2026 00:53
@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 947a2ec to 8980338 Compare January 20, 2026 07:36
@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 8980338 to 4c553ba Compare March 8, 2026 09:21
@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 4c553ba to 886823a Compare April 30, 2026 08:09
@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 886823a to f3edf1b Compare May 13, 2026 03:36
@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from f3edf1b to 14ee6a7 Compare May 30, 2026 23:41
@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 14ee6a7 to 50eb04d Compare June 12, 2026 23:40
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate
renovate Bot force-pushed the renovate/npm-semantic-release-vulnerability branch from 50eb04d to e836e49 Compare July 16, 2026 12:14
@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @pnpm/network.ca-file is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/semantic-release@19.0.3npm/@pnpm/network.ca-file@1.0.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@pnpm/network.ca-file@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants