From 8286ea009517904985fa430d0985c4c1d4c3f5bb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Oct 2022 06:37:33 +0000 Subject: [PATCH 01/50] chore: bump @npmcli/template-oss from 4.4.4 to 4.5.1 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.4.4 to 4.5.1. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.4.4...v4.5.1) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 72d3f66e..b1ff4a0c 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^3.0.1", - "@npmcli/template-oss": "4.4.4", + "@npmcli/template-oss": "4.5.1", "tap": "^16.0.0" }, "license": "ISC", From a7b8722674e2eedfd89960b4155ffddd6a20ee21 Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Mon, 10 Oct 2022 11:36:55 -0700 Subject: [PATCH 02/50] chore: postinstall for dependabot template-oss PR --- .github/workflows/post-dependabot.yml | 2 +- .github/workflows/release.yml | 3 ++- package.json | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml index e854e127..88ac4035 100644 --- a/.github/workflows/post-dependabot.yml +++ b/.github/workflows/post-dependabot.yml @@ -19,7 +19,7 @@ jobs: - name: Checkout uses: actions/checkout@v3 with: - ref: ${{ github.ref_name }} + ref: ${{ github.event.pull_request.head.ref }} - name: Setup Git User run: | git config --global user.email "npm-cli+bot@github.com" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 01a8d6a9..1ed38659 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -132,7 +132,8 @@ jobs: RELEASE_COMMENT_ID: ${{ needs.release.outputs.comment-id }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - npm run rp-pull-request --ignore-scripts -ws -iwr --if-present + npm exec --offline -- template-oss-release-manager + npm run rp-pull-request --ignore-scripts --if-present - name: Commit id: commit env: diff --git a/package.json b/package.json index b1ff4a0c..392f4960 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "author": "GitHub Inc.", "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.4.4", + "version": "4.5.1", "engines": ">=10", "content": "./scripts", "ciVersions": [ From 9f691f206203b6a1c81a628571a5a39ca5b23c23 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Oct 2022 06:44:20 +0000 Subject: [PATCH 03/50] chore: bump @npmcli/eslint-config from 3.1.0 to 4.0.0 Bumps [@npmcli/eslint-config](https://github.com/npm/eslint-config) from 3.1.0 to 4.0.0. - [Release notes](https://github.com/npm/eslint-config/releases) - [Changelog](https://github.com/npm/eslint-config/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/eslint-config/compare/v3.1.0...v4.0.0) --- updated-dependencies: - dependency-name: "@npmcli/eslint-config" dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 392f4960..79bd8c02 100644 --- a/package.json +++ b/package.json @@ -13,7 +13,7 @@ "template-oss-apply": "template-oss-apply --force" }, "devDependencies": { - "@npmcli/eslint-config": "^3.0.1", + "@npmcli/eslint-config": "^4.0.0", "@npmcli/template-oss": "4.5.1", "tap": "^16.0.0" }, From 2182b6881f1fb7003ff04bd969faf153ffdfaedd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Oct 2022 06:28:40 +0000 Subject: [PATCH 04/50] chore: bump @npmcli/template-oss from 4.5.1 to 4.6.1 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.5.1 to 4.6.1. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.5.1...v4.6.1) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 79bd8c02..0912d82f 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.5.1", + "@npmcli/template-oss": "4.6.1", "tap": "^16.0.0" }, "license": "ISC", From 08a3d835115fe026530af3aff10fb01d23520d8a Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Mon, 17 Oct 2022 14:06:23 -0700 Subject: [PATCH 05/50] chore: postinstall for dependabot template-oss PR --- .github/workflows/ci-release.yml | 80 +++++++++++++++++++---- .github/workflows/post-dependabot.yml | 4 +- .github/workflows/release.yml | 93 ++++++++++++++++++++++----- package.json | 2 +- 4 files changed, 149 insertions(+), 30 deletions(-) diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index ccd68e1e..225d1c9a 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -21,6 +21,39 @@ jobs: run: shell: bash steps: + - name: Get Workflow Job + uses: actions/github-script@v6 + + id: check-output + env: + JOB_NAME: "Lint All" + MATRIX_NAME: "" + with: + script: | + const { owner, repo } = context.repo + + const { data } = await github.rest.actions.listJobsForWorkflowRun({ + owner, + repo, + run_id: context.runId, + per_page: 100 + }) + + const jobName = process.env.JOB_NAME + process.env.MATRIX_NAME + const job = data.jobs.find(j => j.name.endsWith(jobName)) + const jobUrl = job?.html_url + + const shaUrl = `${context.serverUrl}/${owner}/${repo}/commit/${{ inputs.check-sha }}` + + let summary = `This check is assosciated with ${shaUrl}\n\n` + + if (jobUrl) { + summary += `For run logs, click here: ${jobUrl}` + } else { + summary += `Run logs could not be found for a job with name: "${jobName}"` + } + + return { summary } - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check @@ -30,12 +63,7 @@ jobs: status: in_progress name: Lint All sha: ${{ inputs.check-sha }} - # XXX: this does not work when using the default GITHUB_TOKEN. - # Instead we post the main job url to the PR as a comment which - # will link to all the other checks. To work around this we would - # need to create a GitHub that would create on-demand tokens. - # https://github.com/LouisBrunner/checks-action/issues/18 - # details_url: + output: ${{ steps.check-output.outputs.result }} - name: Checkout uses: actions/checkout@v3 with: @@ -94,6 +122,39 @@ jobs: run: shell: ${{ matrix.platform.shell }} steps: + - name: Get Workflow Job + uses: actions/github-script@v6 + + id: check-output + env: + JOB_NAME: "Test All" + MATRIX_NAME: " - ${{ matrix.platform.name }} - ${{ matrix.node-version }}" + with: + script: | + const { owner, repo } = context.repo + + const { data } = await github.rest.actions.listJobsForWorkflowRun({ + owner, + repo, + run_id: context.runId, + per_page: 100 + }) + + const jobName = process.env.JOB_NAME + process.env.MATRIX_NAME + const job = data.jobs.find(j => j.name.endsWith(jobName)) + const jobUrl = job?.html_url + + const shaUrl = `${context.serverUrl}/${owner}/${repo}/commit/${{ inputs.check-sha }}` + + let summary = `This check is assosciated with ${shaUrl}\n\n` + + if (jobUrl) { + summary += `For run logs, click here: ${jobUrl}` + } else { + summary += `Run logs could not be found for a job with name: "${jobName}"` + } + + return { summary } - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check @@ -103,12 +164,7 @@ jobs: status: in_progress name: Test All - ${{ matrix.platform.name }} - ${{ matrix.node-version }} sha: ${{ inputs.check-sha }} - # XXX: this does not work when using the default GITHUB_TOKEN. - # Instead we post the main job url to the PR as a comment which - # will link to all the other checks. To work around this we would - # need to create a GitHub that would create on-demand tokens. - # https://github.com/LouisBrunner/checks-action/issues/18 - # details_url: + output: ${{ steps.check-output.outputs.result }} - name: Checkout uses: actions/checkout@v3 with: diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml index 88ac4035..43938591 100644 --- a/.github/workflows/post-dependabot.yml +++ b/.github/workflows/post-dependabot.yml @@ -66,7 +66,7 @@ jobs: # This only sets the conventional commit prefix. This workflow can't reliably determine # what the breaking change is though. If a BREAKING CHANGE message is required then # this PR check will fail and the commit will be amended with stafftools - if [[ "${{ steps.dependabot-metadata.outputs.update-type }}" == "version-update:semver-major" ]]; then + if [[ "${{ steps.metadata.outputs.update-type }}" == "version-update:semver-major" ]]; then prefix='feat!' else prefix='chore!' @@ -90,7 +90,7 @@ jobs: # and attempt to commit and push again. This is helpful because we will have a commit # with the correct prefix that we can then --amend with @npmcli/stafftools later. - name: Push All Changes Except Workflows - if: steps.apply.outputs.changes && steps.push-all.outcome == 'failure' + if: steps.apply.outputs.changes && steps.push.outcome == 'failure' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1ed38659..2f7dee08 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,7 @@ name: Release on: + workflow_dispatch: push: branches: - main @@ -51,17 +52,19 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - npx --offline template-oss-release-please ${{ github.ref_name }} + npx --offline template-oss-release-please ${{ github.ref_name }} ${{ github.event_name }} - name: Post Pull Request Comment if: steps.release.outputs.pr-number uses: actions/github-script@v6 id: pr-comment env: PR_NUMBER: ${{ steps.release.outputs.pr-number }} + REF_NAME: ${{ github.ref_name }} with: script: | + const { REF_NAME, PR_NUMBER } = process.env const repo = { owner: context.repo.owner, repo: context.repo.repo } - const issue = { ...repo, issue_number: process.env.PR_NUMBER } + const issue = { ...repo, issue_number: PR_NUMBER } const { data: workflow } = await github.rest.actions.getWorkflowRun({ ...repo, run_id: context.runId }) @@ -70,7 +73,11 @@ jobs: const comments = await github.paginate(github.rest.issues.listComments, issue) let commentId = comments?.find(c => c.user.login === 'github-actions[bot]' && c.body.startsWith(body))?.id - body += `- Release workflow run: ${workflow.html_url}` + body += `Release workflow run: ${workflow.html_url}\n\n#### Force CI to Rerun for This Release\n\n` + body += `This PR will be updated and CI will run for every non-\`chore:\` commit that is pushed to \`main\`. ` + body += `To force CI to rerun, run this command:\n\n` + body += `\`\`\`\ngh workflow run release.yml -r ${REF_NAME}\n\`\`\`` + if (commentId) { await github.rest.issues.updateComment({ ...repo, comment_id: commentId, body }) } else { @@ -79,6 +86,39 @@ jobs: } return commentId + - name: Get Workflow Job + uses: actions/github-script@v6 + if: steps.release.outputs.pr-number + id: check-output + env: + JOB_NAME: "Release" + MATRIX_NAME: "" + with: + script: | + const { owner, repo } = context.repo + + const { data } = await github.rest.actions.listJobsForWorkflowRun({ + owner, + repo, + run_id: context.runId, + per_page: 100 + }) + + const jobName = process.env.JOB_NAME + process.env.MATRIX_NAME + const job = data.jobs.find(j => j.name.endsWith(jobName)) + const jobUrl = job?.html_url + + const shaUrl = `${context.serverUrl}/${owner}/${repo}/commit/${{ steps.release.outputs.pr-sha }}` + + let summary = `This check is assosciated with ${shaUrl}\n\n` + + if (jobUrl) { + summary += `For run logs, click here: ${jobUrl}` + } else { + summary += `Run logs could not be found for a job with name: "${jobName}"` + } + + return { summary } - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check @@ -88,12 +128,7 @@ jobs: status: in_progress name: Release sha: ${{ steps.release.outputs.pr-sha }} - # XXX: this does not work when using the default GITHUB_TOKEN. - # Instead we post the main job url to the PR as a comment which - # will link to all the other checks. To work around this we would - # need to create a GitHub that would create on-demand tokens. - # https://github.com/LouisBrunner/checks-action/issues/18 - # details_url: + output: ${{ steps.check-output.outputs.result }} update: needs: release @@ -142,6 +177,39 @@ jobs: git commit --all --amend --no-edit || true git push --force-with-lease echo "::set-output name=sha::$(git rev-parse HEAD)" + - name: Get Workflow Job + uses: actions/github-script@v6 + + id: check-output + env: + JOB_NAME: "Update - Release" + MATRIX_NAME: "" + with: + script: | + const { owner, repo } = context.repo + + const { data } = await github.rest.actions.listJobsForWorkflowRun({ + owner, + repo, + run_id: context.runId, + per_page: 100 + }) + + const jobName = process.env.JOB_NAME + process.env.MATRIX_NAME + const job = data.jobs.find(j => j.name.endsWith(jobName)) + const jobUrl = job?.html_url + + const shaUrl = `${context.serverUrl}/${owner}/${repo}/commit/${{ steps.commit.outputs.sha }}` + + let summary = `This check is assosciated with ${shaUrl}\n\n` + + if (jobUrl) { + summary += `For run logs, click here: ${jobUrl}` + } else { + summary += `Run logs could not be found for a job with name: "${jobName}"` + } + + return { summary } - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check @@ -151,12 +219,7 @@ jobs: status: in_progress name: Release sha: ${{ steps.commit.outputs.sha }} - # XXX: this does not work when using the default GITHUB_TOKEN. - # Instead we post the main job url to the PR as a comment which - # will link to all the other checks. To work around this we would - # need to create a GitHub that would create on-demand tokens. - # https://github.com/LouisBrunner/checks-action/issues/18 - # details_url: + output: ${{ steps.check-output.outputs.result }} - name: Conclude Check uses: LouisBrunner/checks-action@v1.3.1 if: always() diff --git a/package.json b/package.json index 0912d82f..3a149fc7 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "author": "GitHub Inc.", "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.5.1", + "version": "4.6.1", "engines": ">=10", "content": "./scripts", "ciVersions": [ From ef19620582c9376c676e178143ab8cbee74695eb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 19 Oct 2022 06:28:23 +0000 Subject: [PATCH 06/50] chore: bump @npmcli/template-oss from 4.6.1 to 4.6.2 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.6.1 to 4.6.2. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.6.1...v4.6.2) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 3a149fc7..4eaac97a 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.6.1", + "@npmcli/template-oss": "4.6.2", "tap": "^16.0.0" }, "license": "ISC", From eb965f28c02585b60dbf88d138767c59c5f134bf Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Wed, 19 Oct 2022 00:26:34 -0700 Subject: [PATCH 07/50] chore: postinstall for dependabot template-oss PR --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 4eaac97a..00715076 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "author": "GitHub Inc.", "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.6.1", + "version": "4.6.2", "engines": ">=10", "content": "./scripts", "ciVersions": [ From b302267201f064c3ab8708d57b8bcd6d103903e5 Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Wed, 19 Oct 2022 01:50:40 -0700 Subject: [PATCH 08/50] chore: remove unnecessary template-oss config --- package.json | 1 - scripts/_step-test.yml | 4 ---- 2 files changed, 5 deletions(-) delete mode 100644 scripts/_step-test.yml diff --git a/package.json b/package.json index 00715076..5e3f90de 100644 --- a/package.json +++ b/package.json @@ -55,7 +55,6 @@ "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", "version": "4.6.2", "engines": ">=10", - "content": "./scripts", "ciVersions": [ "10.0.0", "10.x", diff --git a/scripts/_step-test.yml b/scripts/_step-test.yml deleted file mode 100644 index 5b7131bc..00000000 --- a/scripts/_step-test.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Add Problem Matcher - run: echo "::add-matcher::.github/matchers/tap.json" -- name: Test - run: {{ rootNpmPath }} test --ignore-scripts From b6a487c1295158d4124ba91428656b89bf1400f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Oct 2022 06:53:30 +0000 Subject: [PATCH 09/50] chore: bump @npmcli/template-oss from 4.6.2 to 4.7.1 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.6.2 to 4.7.1. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.6.2...v4.7.1) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 5e3f90de..66a6b728 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.6.2", + "@npmcli/template-oss": "4.7.1", "tap": "^16.0.0" }, "license": "ISC", From e3ce242ceb3b5a42e1a1efb8e0c60951832bda5a Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Wed, 26 Oct 2022 20:06:32 -0700 Subject: [PATCH 10/50] chore: postinstall for dependabot template-oss PR --- .github/workflows/ci-release.yml | 18 ++++++++++++------ .github/workflows/post-dependabot.yml | 2 +- .github/workflows/release.yml | 13 +++++++------ package.json | 2 +- 4 files changed, 21 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index 225d1c9a..52c686cd 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -3,6 +3,12 @@ name: CI - Release on: + workflow_dispatch: + inputs: + ref: + required: true + type: string + default: main workflow_call: inputs: ref: @@ -23,7 +29,7 @@ jobs: steps: - name: Get Workflow Job uses: actions/github-script@v6 - + if: inputs.check-sha id: check-output env: JOB_NAME: "Lint All" @@ -57,7 +63,7 @@ jobs: - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check - + if: inputs.check-sha with: token: ${{ secrets.GITHUB_TOKEN }} status: in_progress @@ -88,7 +94,7 @@ jobs: run: npm run postlint --ignore-scripts - name: Conclude Check uses: LouisBrunner/checks-action@v1.3.1 - if: always() + if: steps.check.outputs.check_id && always() with: token: ${{ secrets.GITHUB_TOKEN }} conclusion: ${{ job.status }} @@ -124,7 +130,7 @@ jobs: steps: - name: Get Workflow Job uses: actions/github-script@v6 - + if: inputs.check-sha id: check-output env: JOB_NAME: "Test All" @@ -158,7 +164,7 @@ jobs: - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check - + if: inputs.check-sha with: token: ${{ secrets.GITHUB_TOKEN }} status: in_progress @@ -203,7 +209,7 @@ jobs: run: npm test --ignore-scripts - name: Conclude Check uses: LouisBrunner/checks-action@v1.3.1 - if: always() + if: steps.check.outputs.check_id && always() with: token: ${{ secrets.GITHUB_TOKEN }} conclusion: ${{ job.status }} diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml index 43938591..19902bdc 100644 --- a/.github/workflows/post-dependabot.yml +++ b/.github/workflows/post-dependabot.yml @@ -69,7 +69,7 @@ jobs: if [[ "${{ steps.metadata.outputs.update-type }}" == "version-update:semver-major" ]]; then prefix='feat!' else - prefix='chore!' + prefix='chore' fi echo "::set-output name=message::$prefix: postinstall for dependabot template-oss PR" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2f7dee08..15d37cb6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,7 @@ on: branches: - main - latest + - release/v* permissions: contents: write @@ -88,7 +89,7 @@ jobs: return commentId - name: Get Workflow Job uses: actions/github-script@v6 - if: steps.release.outputs.pr-number + if: steps.release.outputs.pr-sha id: check-output env: JOB_NAME: "Release" @@ -122,7 +123,7 @@ jobs: - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check - if: steps.release.outputs.pr-number + if: steps.release.outputs.pr-sha with: token: ${{ secrets.GITHUB_TOKEN }} status: in_progress @@ -179,7 +180,7 @@ jobs: echo "::set-output name=sha::$(git rev-parse HEAD)" - name: Get Workflow Job uses: actions/github-script@v6 - + if: steps.commit.outputs.sha id: check-output env: JOB_NAME: "Update - Release" @@ -213,7 +214,7 @@ jobs: - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check - + if: steps.commit.outputs.sha with: token: ${{ secrets.GITHUB_TOKEN }} status: in_progress @@ -222,7 +223,7 @@ jobs: output: ${{ steps.check-output.outputs.result }} - name: Conclude Check uses: LouisBrunner/checks-action@v1.3.1 - if: always() + if: needs.release.outputs.check-id && always() with: token: ${{ secrets.GITHUB_TOKEN }} conclusion: ${{ job.status }} @@ -260,7 +261,7 @@ jobs: echo "::set-output name=result::$result" - name: Conclude Check uses: LouisBrunner/checks-action@v1.3.1 - if: always() + if: needs.update.outputs.check-id && always() with: token: ${{ secrets.GITHUB_TOKEN }} conclusion: ${{ steps.needs-result.outputs.result }} diff --git a/package.json b/package.json index 66a6b728..1f3e388b 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "author": "GitHub Inc.", "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.6.2", + "version": "4.7.1", "engines": ">=10", "ciVersions": [ "10.0.0", From 09dc51c11e9837ccf4b97e7d63febbef203fd19f Mon Sep 17 00:00:00 2001 From: bluelovers Date: Fri, 28 Oct 2022 01:13:11 +0800 Subject: [PATCH 11/50] chore(fixtures): remove duplicate lines (#390) --- test/fixtures/range-exclude.js | 1 - test/fixtures/range-include.js | 1 - test/fixtures/range-parse.js | 11 ----------- test/fixtures/version-gt-range.js | 5 ----- test/fixtures/version-lt-range.js | 7 ------- test/fixtures/version-not-gt-range.js | 2 -- test/fixtures/version-not-lt-range.js | 2 -- 7 files changed, 29 deletions(-) diff --git a/test/fixtures/range-exclude.js b/test/fixtures/range-exclude.js index 9e829445..4b6c5631 100644 --- a/test/fixtures/range-exclude.js +++ b/test/fixtures/range-exclude.js @@ -80,7 +80,6 @@ module.exports = [ ['^1.0.0', '1.0.0-rc1', { includePrerelease: true }], ['^1.0.0', '2.0.0-rc1', { includePrerelease: true }], ['^1.2.3-rc2', '2.0.0', { includePrerelease: true }], - ['^1.0.0', '2.0.0-rc1', { includePrerelease: true }], ['^1.0.0', '2.0.0-rc1'], ['1 - 2', '3.0.0-pre', { includePrerelease: true }], diff --git a/test/fixtures/range-include.js b/test/fixtures/range-include.js index da20f6ce..cdb7034b 100644 --- a/test/fixtures/range-include.js +++ b/test/fixtures/range-include.js @@ -84,7 +84,6 @@ module.exports = [ ['~1.2.1 1.2.3', '1.2.3'], ['~1.2.1 >=1.2.3 1.2.3', '1.2.3'], ['~1.2.1 1.2.3 >=1.2.3', '1.2.3'], - ['~1.2.1 1.2.3', '1.2.3'], ['>=1.2.1 1.2.3', '1.2.3'], ['1.2.3 >=1.2.1', '1.2.3'], ['>=1.2.3 >=1.2.1', '1.2.3'], diff --git a/test/fixtures/range-parse.js b/test/fixtures/range-parse.js index 83adaff8..dcafc6b5 100644 --- a/test/fixtures/range-parse.js +++ b/test/fixtures/range-parse.js @@ -14,14 +14,10 @@ module.exports = [ ['>=*', '*'], ['', '*'], ['*', '*'], - ['*', '*'], ['>=1.0.0', '>=1.0.0'], ['>1.0.0', '>1.0.0'], ['<=2.0.0', '<=2.0.0'], ['1', '>=1.0.0 <2.0.0-0'], - ['<=2.0.0', '<=2.0.0'], - ['<=2.0.0', '<=2.0.0'], - ['<2.0.0', '<2.0.0'], ['<2.0.0', '<2.0.0'], ['>= 1.0.0', '>=1.0.0'], ['>= 1.0.0', '>=1.0.0'], @@ -34,25 +30,19 @@ module.exports = [ ['< 2.0.0', '<2.0.0'], ['<\t2.0.0', '<2.0.0'], ['>=0.1.97', '>=0.1.97'], - ['>=0.1.97', '>=0.1.97'], ['0.1.20 || 1.2.4', '0.1.20||1.2.4'], ['>=0.2.3 || <0.0.1', '>=0.2.3||<0.0.1'], - ['>=0.2.3 || <0.0.1', '>=0.2.3||<0.0.1'], - ['>=0.2.3 || <0.0.1', '>=0.2.3||<0.0.1'], ['||', '*'], ['2.x.x', '>=2.0.0 <3.0.0-0'], ['1.2.x', '>=1.2.0 <1.3.0-0'], ['1.2.x || 2.x', '>=1.2.0 <1.3.0-0||>=2.0.0 <3.0.0-0'], - ['1.2.x || 2.x', '>=1.2.0 <1.3.0-0||>=2.0.0 <3.0.0-0'], ['x', '*'], ['2.*.*', '>=2.0.0 <3.0.0-0'], ['1.2.*', '>=1.2.0 <1.3.0-0'], ['1.2.* || 2.*', '>=1.2.0 <1.3.0-0||>=2.0.0 <3.0.0-0'], - ['*', '*'], ['2', '>=2.0.0 <3.0.0-0'], ['2.3', '>=2.3.0 <2.4.0-0'], ['~2.4', '>=2.4.0 <2.5.0-0'], - ['~2.4', '>=2.4.0 <2.5.0-0'], ['~>3.2.1', '>=3.2.1 <3.3.0-0'], ['~1', '>=1.0.0 <2.0.0-0'], ['~>1', '>=1.0.0 <2.0.0-0'], @@ -75,7 +65,6 @@ module.exports = [ ['>= 1', '>=1.0.0'], ['<1.2', '<1.2.0-0'], ['< 1.2', '<1.2.0-0'], - ['1', '>=1.0.0 <2.0.0-0'], ['>01.02.03', '>1.2.3', true], ['>01.02.03', null], ['~1.2.3beta', '>=1.2.3-beta <1.3.0-0', { loose: true }], diff --git a/test/fixtures/version-gt-range.js b/test/fixtures/version-gt-range.js index c30055e0..51049924 100644 --- a/test/fixtures/version-gt-range.js +++ b/test/fixtures/version-gt-range.js @@ -34,7 +34,6 @@ module.exports = [ ['=0.7.x', '0.8.0'], ['=0.7.x', '0.8.0-asdf'], ['<0.7.x', '0.7.0'], - ['~1.2.2', '1.3.0'], ['1.0.0 - 2.0.0', '2.2.3'], ['1.0.0', '1.0.1'], ['<=2.0.0', '3.0.0'], @@ -46,17 +45,13 @@ module.exports = [ ['1.2.x', '1.3.3'], ['1.2.x || 2.x', '3.1.3'], ['2.*.*', '3.1.3'], - ['1.2.*', '1.3.3'], ['1.2.* || 2.*', '3.1.3'], ['2', '3.1.2'], ['2.3', '2.4.1'], - ['~2.4', '2.5.0'], // >=2.4.0 <2.5.0 ['~>3.2.1', '3.3.2'], // >=3.2.1 <3.3.0 - ['~1', '2.2.3'], // >=1.0.0 <2.0.0 ['~>1', '2.2.3'], ['~1.0', '1.1.0'], // >=1.0.0 <1.1.0 ['<1', '1.0.0'], - ['1', '2.0.0beta', true], ['<1', '1.0.0beta', true], ['< 1', '1.0.0beta', true], ['=0.7.x', '0.8.2'], diff --git a/test/fixtures/version-lt-range.js b/test/fixtures/version-lt-range.js index 5482dbf2..55fe5c17 100644 --- a/test/fixtures/version-lt-range.js +++ b/test/fixtures/version-lt-range.js @@ -30,29 +30,22 @@ module.exports = [ ['> 1.2', '1.2.1'], ['1', '0.0.0beta', true], ['~v0.5.4-pre', '0.5.4-alpha'], - ['~v0.5.4-pre', '0.5.4-alpha'], ['=0.7.x', '0.6.0'], ['=0.7.x', '0.6.0-asdf'], ['>=0.7.x', '0.6.0'], - ['~1.2.2', '1.2.1'], ['1.0.0 - 2.0.0', '0.2.3'], ['1.0.0', '0.0.1'], ['>=2.0.0', '1.0.0'], ['>=2.0.0', '1.9999.9999'], - ['>=2.0.0', '1.2.9'], - ['>2.0.0', '2.0.0'], ['>2.0.0', '1.2.9'], ['2.x.x', '1.1.3'], ['1.2.x', '1.1.3'], ['1.2.x || 2.x', '1.1.3'], ['2.*.*', '1.1.3'], - ['1.2.*', '1.1.3'], ['1.2.* || 2.*', '1.1.3'], ['2', '1.9999.9999'], ['2.3', '2.2.1'], - ['~2.4', '2.3.0'], // >=2.4.0 <2.5.0 ['~>3.2.1', '2.3.2'], // >=3.2.1 <3.3.0 - ['~1', '0.2.3'], // >=1.0.0 <2.0.0 ['~>1', '0.2.3'], ['~1.0', '0.0.0'], // >=1.0.0 <1.1.0 ['>1', '1.0.0'], diff --git a/test/fixtures/version-not-gt-range.js b/test/fixtures/version-not-gt-range.js index 15e7b6af..1f40738e 100644 --- a/test/fixtures/version-not-gt-range.js +++ b/test/fixtures/version-not-gt-range.js @@ -48,8 +48,6 @@ module.exports = [ ['1.2.*', '1.2.3'], ['1.2.* || 2.*', '2.1.3'], ['1.2.* || 2.*', '1.2.3'], - ['1.2.* || 2.*', '1.2.3'], - ['*', '1.2.3'], ['2', '2.1.2'], ['2.3', '2.3.1'], ['~2.4', '2.4.0'], // >=2.4.0 <2.5.0 diff --git a/test/fixtures/version-not-lt-range.js b/test/fixtures/version-not-lt-range.js index 35954f7a..aac7c254 100644 --- a/test/fixtures/version-not-lt-range.js +++ b/test/fixtures/version-not-lt-range.js @@ -48,8 +48,6 @@ module.exports = [ ['1.2.*', '1.2.3'], ['1.2.* || 2.*', '2.1.3'], ['1.2.* || 2.*', '1.2.3'], - ['1.2.* || 2.*', '1.2.3'], - ['*', '1.2.3'], ['2', '2.1.2'], ['2.3', '2.3.1'], ['~2.4', '2.4.0'], // >=2.4.0 <2.5.0 From 651b42108937a5d94b9e3087f9ecd46a7232b6f0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 28 Oct 2022 07:01:21 +0000 Subject: [PATCH 12/50] chore: bump @npmcli/template-oss from 4.7.1 to 4.8.0 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.7.1 to 4.8.0. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.7.1...v4.8.0) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 1f3e388b..56d5310f 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.7.1", + "@npmcli/template-oss": "4.8.0", "tap": "^16.0.0" }, "license": "ISC", From 3b3de4f8263c9ba76f549c5d20fcc4e420958a5d Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Fri, 28 Oct 2022 12:52:06 -0700 Subject: [PATCH 13/50] chore: postinstall for dependabot template-oss PR --- .github/workflows/audit.yml | 6 +++-- .github/workflows/ci.yml | 48 ------------------------------------- package.json | 2 +- 3 files changed, 5 insertions(+), 51 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 60bb334b..62892f99 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -33,5 +33,7 @@ jobs: run: npm -v - name: Install Dependencies run: npm i --ignore-scripts --no-audit --no-fund --package-lock - - name: Run Audit - run: npm audit + - name: Run Production Audit + run: npm audit --omit=dev + - name: Run Full Audit + run: npm audit --audit-level=none diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4bc2e2db..8d21d08c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,54 +14,6 @@ on: - cron: "0 9 * * 1" jobs: - engines: - name: Engines - ${{ matrix.platform.name }} - ${{ matrix.node-version }} - if: github.repository_owner == 'npm' - strategy: - fail-fast: false - matrix: - platform: - - name: Linux - os: ubuntu-latest - shell: bash - node-version: - - 10.0.0 - runs-on: ${{ matrix.platform.os }} - defaults: - run: - shell: ${{ matrix.platform.shell }} - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Setup Git User - run: | - git config --global user.email "npm-cli+bot@github.com" - git config --global user.name "npm CLI robot" - - name: Setup Node - uses: actions/setup-node@v3 - with: - node-version: ${{ matrix.node-version }} - - name: Update Windows npm - # node 12 and 14 ship with npm@6, which is known to fail when updating itself in windows - if: matrix.platform.os == 'windows-latest' && (startsWith(matrix.node-version, '12.') || startsWith(matrix.node-version, '14.')) - run: | - curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz - tar xf npm-7.5.4.tgz - cd package - node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz - cd .. - rmdir /s /q package - - name: Install npm@7 - if: startsWith(matrix.node-version, '10.') - run: npm i --prefer-online --no-fund --no-audit -g npm@7 - - name: Install npm@latest - if: ${{ !startsWith(matrix.node-version, '10.') }} - run: npm i --prefer-online --no-fund --no-audit -g npm@latest - - name: npm Version - run: npm -v - - name: Install Dependencies - run: npm i --ignore-scripts --no-audit --no-fund --engines-strict - lint: name: Lint if: github.repository_owner == 'npm' diff --git a/package.json b/package.json index 56d5310f..3fec5cd7 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "author": "GitHub Inc.", "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.7.1", + "version": "4.8.0", "engines": ">=10", "ciVersions": [ "10.0.0", From 3979088282ac4f35617a101157fba47246dcc65e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Nov 2022 06:21:16 +0000 Subject: [PATCH 14/50] chore: bump @npmcli/template-oss from 4.8.0 to 4.10.0 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.8.0 to 4.10.0. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.8.0...v4.10.0) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 3fec5cd7..70a571e5 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.8.0", + "@npmcli/template-oss": "4.10.0", "tap": "^16.0.0" }, "license": "ISC", From c1d1952141d84a62b1df683f651e123d2d81ca1b Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Sat, 12 Nov 2022 14:29:45 -0700 Subject: [PATCH 15/50] chore: postinstall for dependabot template-oss PR --- .github/workflows/audit.yml | 4 ++-- .github/workflows/ci-release.yml | 8 ++++---- .github/workflows/ci.yml | 8 ++++---- .github/workflows/post-dependabot.yml | 4 ++-- .github/workflows/pull-request.yml | 4 ++-- .github/workflows/release.yml | 18 +++++++++--------- SECURITY.md | 13 ++++++++++++- package.json | 3 ++- 8 files changed, 37 insertions(+), 25 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 62892f99..8b8f3748 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -27,8 +27,8 @@ jobs: uses: actions/setup-node@v3 with: node-version: 18.x - - name: Install npm@latest - run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - name: Install npm@8 + run: npm i --prefer-online --no-fund --no-audit -g npm@8 - name: npm Version run: npm -v - name: Install Dependencies diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index 52c686cd..1e8c0719 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -82,8 +82,8 @@ jobs: uses: actions/setup-node@v3 with: node-version: 18.x - - name: Install npm@latest - run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - name: Install npm@8 + run: npm i --prefer-online --no-fund --no-audit -g npm@8 - name: npm Version run: npm -v - name: Install Dependencies @@ -196,9 +196,9 @@ jobs: - name: Install npm@7 if: startsWith(matrix.node-version, '10.') run: npm i --prefer-online --no-fund --no-audit -g npm@7 - - name: Install npm@latest + - name: Install npm@8 if: ${{ !startsWith(matrix.node-version, '10.') }} - run: npm i --prefer-online --no-fund --no-audit -g npm@latest + run: npm i --prefer-online --no-fund --no-audit -g npm@8 - name: npm Version run: npm -v - name: Install Dependencies diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8d21d08c..90c632b9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,8 +32,8 @@ jobs: uses: actions/setup-node@v3 with: node-version: 18.x - - name: Install npm@latest - run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - name: Install npm@8 + run: npm i --prefer-online --no-fund --no-audit -g npm@8 - name: npm Version run: npm -v - name: Install Dependencies @@ -94,9 +94,9 @@ jobs: - name: Install npm@7 if: startsWith(matrix.node-version, '10.') run: npm i --prefer-online --no-fund --no-audit -g npm@7 - - name: Install npm@latest + - name: Install npm@8 if: ${{ !startsWith(matrix.node-version, '10.') }} - run: npm i --prefer-online --no-fund --no-audit -g npm@latest + run: npm i --prefer-online --no-fund --no-audit -g npm@8 - name: npm Version run: npm -v - name: Install Dependencies diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml index 19902bdc..1174d0e3 100644 --- a/.github/workflows/post-dependabot.yml +++ b/.github/workflows/post-dependabot.yml @@ -28,8 +28,8 @@ jobs: uses: actions/setup-node@v3 with: node-version: 18.x - - name: Install npm@latest - run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - name: Install npm@8 + run: npm i --prefer-online --no-fund --no-audit -g npm@8 - name: npm Version run: npm -v - name: Install Dependencies diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 1a1d1ee8..22869511 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -31,8 +31,8 @@ jobs: uses: actions/setup-node@v3 with: node-version: 18.x - - name: Install npm@latest - run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - name: Install npm@8 + run: npm i --prefer-online --no-fund --no-audit -g npm@8 - name: npm Version run: npm -v - name: Install Dependencies diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 15d37cb6..b021f9a3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -42,8 +42,8 @@ jobs: uses: actions/setup-node@v3 with: node-version: 18.x - - name: Install npm@latest - run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - name: Install npm@8 + run: npm i --prefer-online --no-fund --no-audit -g npm@8 - name: npm Version run: npm -v - name: Install Dependencies @@ -74,9 +74,9 @@ jobs: const comments = await github.paginate(github.rest.issues.listComments, issue) let commentId = comments?.find(c => c.user.login === 'github-actions[bot]' && c.body.startsWith(body))?.id - body += `Release workflow run: ${workflow.html_url}\n\n#### Force CI to Rerun for This Release\n\n` + body += `Release workflow run: ${workflow.html_url}\n\n#### Force CI to Update This Release\n\n` body += `This PR will be updated and CI will run for every non-\`chore:\` commit that is pushed to \`main\`. ` - body += `To force CI to rerun, run this command:\n\n` + body += `To force CI to update this PR, run this command:\n\n` body += `\`\`\`\ngh workflow run release.yml -r ${REF_NAME}\n\`\`\`` if (commentId) { @@ -156,8 +156,8 @@ jobs: uses: actions/setup-node@v3 with: node-version: 18.x - - name: Install npm@latest - run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - name: Install npm@8 + run: npm i --prefer-online --no-fund --no-audit -g npm@8 - name: npm Version run: npm -v - name: Install Dependencies @@ -168,7 +168,7 @@ jobs: RELEASE_COMMENT_ID: ${{ needs.release.outputs.comment-id }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - npm exec --offline -- template-oss-release-manager + npm exec --offline -- template-oss-release-manager --lockfile=false npm run rp-pull-request --ignore-scripts --if-present - name: Commit id: commit @@ -286,8 +286,8 @@ jobs: uses: actions/setup-node@v3 with: node-version: 18.x - - name: Install npm@latest - run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - name: Install npm@8 + run: npm i --prefer-online --no-fund --no-audit -g npm@8 - name: npm Version run: npm -v - name: Install Dependencies diff --git a/SECURITY.md b/SECURITY.md index a93106d0..4e7c26c6 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,3 +1,14 @@ -Please send vulnerability reports through [hackerone](https://hackerone.com/github). +GitHub takes the security of our software products and services seriously, including the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). + +If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. + +If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly using [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability). + +If the vulnerability you have found is [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) and you would like for your finding to be considered for a bounty reward, please submit the vulnerability to us through [HackerOne](https://hackerone.com/github) in order to be eligible to receive a bounty award. + +**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** + +Thanks for helping make GitHub safe for everyone. + diff --git a/package.json b/package.json index 70a571e5..14f42505 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "author": "GitHub Inc.", "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.8.0", + "version": "4.10.0", "engines": ">=10", "ciVersions": [ "10.0.0", @@ -63,6 +63,7 @@ "16.x", "18.x" ], + "npmSpec": "8", "distPaths": [ "classes/", "functions/", From 856246920cdd2bc4cef62693d5d2eeb85f695b74 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Dec 2022 06:08:38 +0000 Subject: [PATCH 16/50] chore: bump @npmcli/template-oss from 4.10.0 to 4.11.0 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.10.0 to 4.11.0. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.10.0...v4.11.0) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 14f42505..a0b7ef96 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.10.0", + "@npmcli/template-oss": "4.11.0", "tap": "^16.0.0" }, "license": "ISC", From 3a8a4309ae986c1967b3073ba88c9e69433d44cb Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Sat, 10 Dec 2022 12:30:37 -0700 Subject: [PATCH 17/50] chore: postinstall for dependabot template-oss PR --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index a0b7ef96..e039cf80 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "author": "GitHub Inc.", "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.10.0", + "version": "4.11.0", "engines": ">=10", "ciVersions": [ "10.0.0", From 7488e6c423517301e744be21074f30ff7910a05d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Jan 2023 06:07:25 +0000 Subject: [PATCH 18/50] chore: bump @npmcli/template-oss from 4.11.0 to 4.11.3 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.11.0 to 4.11.3. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.11.0...v4.11.3) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e039cf80..b60af9b1 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.11.0", + "@npmcli/template-oss": "4.11.3", "tap": "^16.0.0" }, "license": "ISC", From bdda212f4f6126a1b8821dc0731a17fdc2fc533f Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Wed, 25 Jan 2023 13:55:41 -0700 Subject: [PATCH 19/50] chore: postinstall for dependabot template-oss PR --- .github/workflows/pull-request.yml | 4 +- .github/workflows/release.yml | 148 ++++++++++++++++++++++++----- package.json | 2 +- 3 files changed, 129 insertions(+), 25 deletions(-) diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 22869511..3b7b8ac5 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -41,8 +41,8 @@ jobs: id: commit continue-on-error: true run: | - npx --offline commitlint -V --from origin/${{ github.base_ref }} --to ${{ github.event.pull_request.head.sha }} + npx --offline commitlint -V --from 'origin/${{ github.base_ref }}' --to ${{ github.event.pull_request.head.sha }} - name: Run Commitlint on PR Title if: steps.commit.outcome == 'failure' run: | - echo ${{ github.event.pull_request.title }} | npx --offline commitlint -V + echo '${{ github.event.pull_request.title }}' | npx --offline commitlint -V diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b021f9a3..3f202e1d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,8 +19,8 @@ jobs: release: outputs: pr: ${{ steps.release.outputs.pr }} + release: ${{ steps.release.outputs.release }} releases: ${{ steps.release.outputs.releases }} - release-flags: ${{ steps.release.outputs.release-flags }} branch: ${{ steps.release.outputs.pr-branch }} pr-number: ${{ steps.release.outputs.pr-number }} comment-id: ${{ steps.pr-comment.outputs.result }} @@ -63,26 +63,25 @@ jobs: REF_NAME: ${{ github.ref_name }} with: script: | - const { REF_NAME, PR_NUMBER } = process.env - const repo = { owner: context.repo.owner, repo: context.repo.repo } - const issue = { ...repo, issue_number: PR_NUMBER } + const { REF_NAME, PR_NUMBER: issue_number } = process.env + const { runId, repo: { owner, repo } } = context - const { data: workflow } = await github.rest.actions.getWorkflowRun({ ...repo, run_id: context.runId }) + const { data: workflow } = await github.rest.actions.getWorkflowRun({ owner, repo, run_id: runId }) let body = '## Release Manager\n\n' - const comments = await github.paginate(github.rest.issues.listComments, issue) - let commentId = comments?.find(c => c.user.login === 'github-actions[bot]' && c.body.startsWith(body))?.id + const comments = await github.paginate(github.rest.issues.listComments, { owner, repo, issue_number }) + let commentId = comments.find(c => c.user.login === 'github-actions[bot]' && c.body.startsWith(body))?.id body += `Release workflow run: ${workflow.html_url}\n\n#### Force CI to Update This Release\n\n` body += `This PR will be updated and CI will run for every non-\`chore:\` commit that is pushed to \`main\`. ` body += `To force CI to update this PR, run this command:\n\n` - body += `\`\`\`\ngh workflow run release.yml -r ${REF_NAME}\n\`\`\`` + body += `\`\`\`\ngh workflow run release.yml -r ${REF_NAME} -R ${owner}/${repo}\n\`\`\`` if (commentId) { - await github.rest.issues.updateComment({ ...repo, comment_id: commentId, body }) + await github.rest.issues.updateComment({ owner, repo, comment_id: commentId, body }) } else { - const { data: comment } = await github.rest.issues.createComment({ ...issue, body }) + const { data: comment } = await github.rest.issues.createComment({ owner, repo, issue_number, body }) commentId = comment?.id } @@ -276,12 +275,45 @@ jobs: run: shell: bash steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Setup Git User - run: | - git config --global user.email "npm-cli+bot@github.com" - git config --global user.name "npm CLI robot" + - name: Create Release PR Comment + uses: actions/github-script@v6 + env: + RELEASES: ${{ needs.release.outputs.releases }} + with: + script: | + const releases = JSON.parse(process.env.RELEASES) + const { runId, repo: { owner, repo } } = context + const issue_number = releases[0].prNumber + + let body = '## Release Workflow\n\n' + for (const { pkgName, version, url } of releases) { + body += `- \`${pkgName}@${version}\` ${url}\n` + } + + const comments = await github.paginate(github.rest.issues.listComments, { owner, repo, issue_number }) + const releaseComments = comments.filter(c => c.user.login === 'github-actions[bot]' && c.body.includes('Release is at')) + + for (const comment of releaseComments) { + await github.rest.issues.deleteComment({ owner, repo, comment_id: comment.id }) + } + + const runUrl = `https://github.com/${owner}/${repo}/actions/runs/${runId}` + await github.rest.issues.createComment({ + owner, + repo, + issue_number, + body: `${body}- Workflow run: :arrows_counterclockwise: ${runUrl}`, + }) + + release-integration: + needs: release + name: Release Integration + if: needs.release.outputs.release + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: - name: Setup Node uses: actions/setup-node@v3 with: @@ -290,10 +322,82 @@ jobs: run: npm i --prefer-online --no-fund --no-audit -g npm@8 - name: npm Version run: npm -v - - name: Install Dependencies - run: npm i --ignore-scripts --no-audit --no-fund - - name: Run Post Release Actions - env: - RELEASES: ${{ needs.release.outputs.releases }} + - name: View in Registry + run: | + EXIT_CODE=0 + + function is_published { + if npm view "$@" --loglevel=error > /dev/null; then + echo 0 + else + echo 1 + fi + } + + for release in $(echo '${{ needs.release.outputs.releases }}' | jq -r '.[] | @base64'); do + name=$(echo "$release" | base64 --decode | jq -r .pkgName) + version=$(echo "$release" | base64 --decode | jq -r .version) + spec="$name@$version" + status=$(is_published "$spec") + if [[ "$status" -eq 1 ]]; then + echo "$spec ERROR" + EXIT_CODE=$status + else + echo "$spec OK" + fi + done + + exit $EXIT_CODE + + post-release-integration: + needs: [ release, release-integration ] + name: Post Release Integration - Release + if: github.repository_owner == 'npm' && needs.release.outputs.release && always() + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - name: Get Needs Result + id: needs-result run: | - npm run rp-release --ignore-scripts --if-present ${{ join(fromJSON(needs.release.outputs.release-flags), ' ') }} + result="" + if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]]; then + result="x" + elif [[ "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then + result="heavy_multiplication_x" + else + result="white_check_mark" + fi + echo "::set-output name=result::$result" + - name: Update Release PR Comment + uses: actions/github-script@v6 + env: + PR_NUMBER: ${{ fromJSON(needs.release.outputs.release).prNumber }} + RESULT: ${{ steps.needs-result.outputs.result }} + with: + script: | + const { PR_NUMBER: issue_number, RESULT } = process.env + const { repo: { owner, repo } } = context + + const comments = await github.paginate(github.rest.issues.listComments, { owner, repo, issue_number }) + const updateComment = comments.find(c => c.user.login === 'github-actions[bot]' && c.body.startsWith('## Release Workflow\n\n')) + + if (updateComment) { + console.log('Found comment to update:', JSON.stringify(updateComment, null, 2)) + let body = updateComment.body.replace(/Workflow run: :[a-z_]+:/, `Workflow run: :${RESULT}:`) + if (RESULT === 'x') { + body += `\n\n:rotating_light:` + body += ` @npm/cli-team: The post-release workflow failed for this release.` + body += ` Manual steps may need to be taken after examining the workflow output` + body += ` from the above workflow run. :rotating_light:` + } + await github.rest.issues.updateComment({ + owner, + repo, + body, + comment_id: updateComment.id, + }) + } else { + console.log('No matching comments found:', JSON.stringify(comments, null, 2)) + } diff --git a/package.json b/package.json index b60af9b1..6ffc7646 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "author": "GitHub Inc.", "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.11.0", + "version": "4.11.3", "engines": ">=10", "ciVersions": [ "10.0.0", From 344f316921b0ef729fb351f08e634e80e8db8334 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 8 Feb 2023 06:05:46 +0000 Subject: [PATCH 20/50] chore: bump @npmcli/template-oss from 4.11.3 to 4.11.4 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.11.3 to 4.11.4. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.11.3...v4.11.4) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 6ffc7646..e29579c8 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.11.3", + "@npmcli/template-oss": "4.11.4", "tap": "^16.0.0" }, "license": "ISC", From 8f11f7ccff471b33da701c5a307300bacee64c1d Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Wed, 8 Feb 2023 10:09:59 -0700 Subject: [PATCH 21/50] chore: postinstall for dependabot template-oss PR --- .github/workflows/release.yml | 23 +++++++++++++++++------ package.json | 2 +- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3f202e1d..51a78822 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,10 @@ name: Release on: workflow_dispatch: + inputs: + release-pr: + description: a release PR number to rerun release jobs on + type: string push: branches: - main @@ -53,7 +57,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - npx --offline template-oss-release-please ${{ github.ref_name }} ${{ github.event_name }} + npx --offline template-oss-release-please "${{ github.ref_name }}" "${{ inputs.release-pr }}" - name: Post Pull Request Comment if: steps.release.outputs.pr-number uses: actions/github-script@v6 @@ -76,7 +80,7 @@ jobs: body += `Release workflow run: ${workflow.html_url}\n\n#### Force CI to Update This Release\n\n` body += `This PR will be updated and CI will run for every non-\`chore:\` commit that is pushed to \`main\`. ` body += `To force CI to update this PR, run this command:\n\n` - body += `\`\`\`\ngh workflow run release.yml -r ${REF_NAME} -R ${owner}/${repo}\n\`\`\`` + body += `\`\`\`\ngh workflow run release.yml -r ${REF_NAME} -R ${owner}/${repo} -f release-pr=${issue_number}\n\`\`\`` if (commentId) { await github.rest.issues.updateComment({ owner, repo, comment_id: commentId, body }) @@ -291,14 +295,17 @@ jobs: } const comments = await github.paginate(github.rest.issues.listComments, { owner, repo, issue_number }) - const releaseComments = comments.filter(c => c.user.login === 'github-actions[bot]' && c.body.includes('Release is at')) + .then(cs => cs.map(c => ({ id: c.id, login: c.user.login, body: c.body }))) + console.log(`Found comments: ${JSON.stringify(comments, null, 2)}`) + const releaseComments = comments.filter(c => c.login === 'github-actions[bot]' && c.body.includes('Release is at')) for (const comment of releaseComments) { + console.log(`Release comment: ${JSON.stringify(comment, null, 2)}`) await github.rest.issues.deleteComment({ owner, repo, comment_id: comment.id }) } const runUrl = `https://github.com/${owner}/${repo}/actions/runs/${runId}` - await github.rest.issues.createComment({ + await github.rest.issues.createComment({ owner, repo, issue_number, @@ -378,10 +385,14 @@ jobs: with: script: | const { PR_NUMBER: issue_number, RESULT } = process.env - const { repo: { owner, repo } } = context + const { runId, repo: { owner, repo } } = context const comments = await github.paginate(github.rest.issues.listComments, { owner, repo, issue_number }) - const updateComment = comments.find(c => c.user.login === 'github-actions[bot]' && c.body.startsWith('## Release Workflow\n\n')) + const updateComment = comments.find(c => + c.user.login === 'github-actions[bot]' && + c.body.startsWith('## Release Workflow\n\n') && + c.body.includes(runId) + ) if (updateComment) { console.log('Found comment to update:', JSON.stringify(updateComment, null, 2)) diff --git a/package.json b/package.json index e29579c8..7ecb4b23 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "author": "GitHub Inc.", "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.11.3", + "version": "4.11.4", "engines": ">=10", "ciVersions": [ "10.0.0", From 5f8eb660502141261030c40531680758b2abe3bd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 Mar 2023 07:03:02 +0000 Subject: [PATCH 22/50] chore: bump @npmcli/template-oss from 4.11.4 to 4.12.0 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.11.4 to 4.12.0. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.11.4...v4.12.0) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 7ecb4b23..986dd3f8 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.11.4", + "@npmcli/template-oss": "4.12.0", "tap": "^16.0.0" }, "license": "ISC", From da08e01cd96f9d70a8b4fbc7dc3f69eef930f67a Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Tue, 7 Mar 2023 17:24:24 -0700 Subject: [PATCH 23/50] chore: postinstall for dependabot template-oss PR --- .github/workflows/post-dependabot.yml | 8 ++++---- .github/workflows/release.yml | 10 +++++----- SECURITY.md | 3 +-- package.json | 2 +- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml index 1174d0e3..03c85681 100644 --- a/.github/workflows/post-dependabot.yml +++ b/.github/workflows/post-dependabot.yml @@ -48,11 +48,11 @@ jobs: run: | dependabot_dir="${{ steps.metadata.outputs.directory }}" if [[ "$dependabot_dir" == "/" ]]; then - echo "::set-output name=workspace::-iwr" + echo "workspace=-iwr" >> $GITHUB_OUTPUT else # strip leading slash from directory so it works as a # a path to the workspace flag - echo "::set-output name=workspace::-w ${dependabot_dir#/}" + echo "workspace=-w ${dependabot_dir#/}" >> $GITHUB_OUTPUT fi - name: Apply Changes @@ -61,7 +61,7 @@ jobs: run: | npm run template-oss-apply ${{ steps.flags.outputs.workspace }} if [[ `git status --porcelain` ]]; then - echo "::set-output name=changes::true" + echo "changes=true" >> $GITHUB_OUTPUT fi # This only sets the conventional commit prefix. This workflow can't reliably determine # what the breaking change is though. If a BREAKING CHANGE message is required then @@ -71,7 +71,7 @@ jobs: else prefix='chore' fi - echo "::set-output name=message::$prefix: postinstall for dependabot template-oss PR" + echo "message=$prefix: postinstall for dependabot template-oss PR" >> $GITHUB_OUTPUT # This step will fail if template-oss has made any workflow updates. It is impossible # for a workflow to update other workflows. In the case it does fail, we continue diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 51a78822..6e72bc00 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -180,7 +180,7 @@ jobs: run: | git commit --all --amend --no-edit || true git push --force-with-lease - echo "::set-output name=sha::$(git rev-parse HEAD)" + echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - name: Get Workflow Job uses: actions/github-script@v6 if: steps.commit.outputs.sha @@ -261,7 +261,7 @@ jobs: else result="success" fi - echo "::set-output name=result::$result" + echo "result=$result" >> $GITHUB_OUTPUT - name: Conclude Check uses: LouisBrunner/checks-action@v1.3.1 if: needs.update.outputs.check-id && always() @@ -368,7 +368,6 @@ jobs: - name: Get Needs Result id: needs-result run: | - result="" if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]]; then result="x" elif [[ "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then @@ -376,7 +375,7 @@ jobs: else result="white_check_mark" fi - echo "::set-output name=result::$result" + echo "result=$result" >> $GITHUB_OUTPUT - name: Update Release PR Comment uses: actions/github-script@v6 env: @@ -397,7 +396,8 @@ jobs: if (updateComment) { console.log('Found comment to update:', JSON.stringify(updateComment, null, 2)) let body = updateComment.body.replace(/Workflow run: :[a-z_]+:/, `Workflow run: :${RESULT}:`) - if (RESULT === 'x') { + const tagCodeowner = RESULT !== 'white_check_mark' + if (tagCodeowner) { body += `\n\n:rotating_light:` body += ` @npm/cli-team: The post-release workflow failed for this release.` body += ` Manual steps may need to be taken after examining the workflow output` diff --git a/SECURITY.md b/SECURITY.md index 4e7c26c6..9cd2deaf 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,11 +4,10 @@ GitHub takes the security of our software products and services seriously, inclu If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. -If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly using [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability). +If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly through [opensource-security@github.com](mailto:opensource-security@github.com). If the vulnerability you have found is [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) and you would like for your finding to be considered for a bounty reward, please submit the vulnerability to us through [HackerOne](https://hackerone.com/github) in order to be eligible to receive a bounty award. **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** Thanks for helping make GitHub safe for everyone. - diff --git a/package.json b/package.json index 986dd3f8..9d0a9043 100644 --- a/package.json +++ b/package.json @@ -53,7 +53,7 @@ "author": "GitHub Inc.", "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.11.4", + "version": "4.12.0", "engines": ">=10", "ciVersions": [ "10.0.0", From f4fa069c9304b847a5083cf77c2ea7c568692ab8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Apr 2023 13:18:25 -0700 Subject: [PATCH 24/50] chore: bump @npmcli/template-oss from 4.12.0 to 4.13.0 (#531) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: npm CLI robot Co-authored-by: Gar --- .github/workflows/release.yml | 2 +- package.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6e72bc00..630f33f9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -171,7 +171,7 @@ jobs: RELEASE_COMMENT_ID: ${{ needs.release.outputs.comment-id }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - npm exec --offline -- template-oss-release-manager --lockfile=false + npm exec --offline -- template-oss-release-manager --lockfile=false --publish=false npm run rp-pull-request --ignore-scripts --if-present - name: Commit id: commit diff --git a/package.json b/package.json index 9d0a9043..4d2fe17b 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.12.0", + "@npmcli/template-oss": "4.13.0", "tap": "^16.0.0" }, "license": "ISC", @@ -53,7 +53,7 @@ "author": "GitHub Inc.", "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.12.0", + "version": "4.13.0", "engines": ">=10", "ciVersions": [ "10.0.0", From f66cc45c6e82eebb4b5b51af73e7b8dcaeda7e21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vinicius=20Louren=C3=A7o?= <12551007+H4ad@users.noreply.github.com> Date: Thu, 6 Apr 2023 22:16:10 -0300 Subject: [PATCH 25/50] fix: faster diff (#539) --- functions/diff.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/functions/diff.js b/functions/diff.js index 87200ef3..651a3018 100644 --- a/functions/diff.js +++ b/functions/diff.js @@ -2,11 +2,11 @@ const parse = require('./parse') const eq = require('./eq') const diff = (version1, version2) => { - if (eq(version1, version2)) { + const v1 = parse(version1) + const v2 = parse(version2) + if (eq(v1, v2)) { return null } else { - const v1 = parse(version1) - const v2 = parse(version2) const hasPre = v1.prerelease.length || v2.prerelease.length const prefix = hasPre ? 'pre' : '' const defaultResult = hasPre ? 'prerelease' : '' From 48d8f8fa63bf6e35db70ff840b6da1a51596a5a8 Mon Sep 17 00:00:00 2001 From: Charley Bodkin <1542740+charlex@users.noreply.github.com> Date: Fri, 12 Jul 2019 22:55:39 +0000 Subject: [PATCH 26/50] feat: export new RELEASE_TYPES constant Which will help library consumers better integrate semver into their apps. Possible usecases of consuming this constant: - Automatically show a dropdown of available release types that conform to the semver spec - Validate user inputs where a release type is expected --- index.js | 1 + internal/constants.js | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index 4a342c6a..86d42ac1 100644 --- a/index.js +++ b/index.js @@ -83,6 +83,7 @@ module.exports = { src: internalRe.src, tokens: internalRe.t, SEMVER_SPEC_VERSION: constants.SEMVER_SPEC_VERSION, + RELEASE_TYPES: constants.RELEASE_TYPES, compareIdentifiers: identifiers.compareIdentifiers, rcompareIdentifiers: identifiers.rcompareIdentifiers, } diff --git a/internal/constants.js b/internal/constants.js index 4f0de59b..cb2d76c2 100644 --- a/internal/constants.js +++ b/internal/constants.js @@ -9,9 +9,20 @@ const MAX_SAFE_INTEGER = Number.MAX_SAFE_INTEGER || // Max safe segment length for coercion. const MAX_SAFE_COMPONENT_LENGTH = 16 +const RELEASE_TYPES = [ + 'major', + 'premajor', + 'minor', + 'preminor', + 'patch', + 'prepatch', + 'prerelease', +] + module.exports = { - SEMVER_SPEC_VERSION, MAX_LENGTH, - MAX_SAFE_INTEGER, MAX_SAFE_COMPONENT_LENGTH, + MAX_SAFE_INTEGER, + RELEASE_TYPES, + SEMVER_SPEC_VERSION, } From c5d29df6f75741fea27fffe3b88c9c3b28e3ca73 Mon Sep 17 00:00:00 2001 From: Charley Bodkin <1542740+charlex@users.noreply.github.com> Date: Tue, 24 Dec 2019 16:43:00 -0500 Subject: [PATCH 27/50] docs: Add "Constants" section to README documents `RELEASE_TYPES` and `SEMVER_SPEC_VERSION` --- README.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/README.md b/README.md index df54e7a0..7dde5f8c 100644 --- a/README.md +++ b/README.md @@ -513,6 +513,40 @@ ex. * `s.clean(' 2.1.5 ')`: `'2.1.5'` * `s.clean('~1.0.0')`: `null` +## Constants + +As a convenience, helper constants are exported to provide information about what `node-semver` supports: + +### `RELEASE_TYPES` + +- major +- premajor +- minor +- preminor +- patch +- prepatch +- prerelease + +``` +const semver = require('semver'); + +if (semver.RELEASE_TYPES.includes(arbitraryUserInput)) { + console.log('This is a valid release type!'); +} else { + console.warn('This is NOT a valid release type!'); +} +``` + +### `SEMVER_SPEC_VERSION` + +2.0.0 + +``` +const semver = require('semver'); + +console.log('We are currently using the semver specification version:', semver.SEMVER_SPEC_VERSION); +``` + ## Exported Modules + +# Contributing + +## Code of Conduct + +All interactions in the **npm** organization on GitHub are considered to be covered by our standard [Code of Conduct](https://docs.npmjs.com/policies/conduct). + +## Reporting Bugs + +Before submitting a new bug report please search for an existing or similar report. + +Use one of our existing issue templates if you believe you've come across a unique problem. + +Duplicate issues, or issues that don't use one of our templates may get closed without a response. + +## Pull Request Conventions + +### Commits + +We use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/). + +When opening a pull request please be sure that either the pull request title, or each commit in the pull request, has one of the following prefixes: + + - `feat`: For when introducing a new feature. The result will be a new semver minor version of the package when it is next published. + - `fix`: For bug fixes. The result will be a new semver patch version of the package when it is next published. + - `docs`: For documentation updates. The result will be a new semver patch version of the package when it is next published. + - `chore`: For changes that do not affect the published module. Often these are changes to tests. The result will be *no* change to the version of the package when it is next published (as the commit does not affect the published version). + +### Test Coverage + +Pull requests made against this repo will run `npm test` automatically. Please make sure tests pass locally before submitting a PR. + +Every new feature or bug fix should come with a corresponding test or tests that validate the solutions. Testing also reports on code coverage and will fail if code coverage drops. + +### Linting + +Linting is also done automatically once tests pass. `npm run lintfix` will fix most linting errors automatically. + +Please make sure linting passes before submitting a PR. + +## What _not_ to contribute? + +### Dependencies + +It should be noted that our team does not accept third-party dependency updates/PRs. If you submit a PR trying to update our dependencies we will close it with or without a reference to these contribution guidelines. + +### Tools/Automation + +Our core team is responsible for the maintenance of the tooling/automation in this project and we ask contributors to not make changes to these when contributing (e.g. `.github/*`, `.eslintrc.json`, `.licensee.json`). Most of those files also have a header at the top to remind folks they are automatically generated. Pull requests that alter these will not be accepted. diff --git a/package.json b/package.json index 592404a3..204e0086 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.14.1", + "@npmcli/template-oss": "4.15.1", "tap": "^16.0.0" }, "license": "ISC", @@ -53,7 +53,7 @@ "author": "GitHub Inc.", "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.14.1", + "version": "4.15.1", "engines": ">=10", "ciVersions": [ "10.0.0", From 717534ee353682f3bcf33e60a8af4292626d4441 Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Thu, 15 Jun 2023 12:21:14 -0700 Subject: [PATCH 47/50] fix: better handling of whitespace (#564) --- classes/comparator.js | 3 +- classes/range.js | 64 ++++++++++++++++------------ classes/semver.js | 2 +- functions/coerce.js | 2 +- internal/re.js | 11 +++++ package.json | 2 +- test/integration/whitespace.js | 39 +++++++++++++++++ test/internal/re.js | 8 +++- test/map.js | 77 ++++++++++++++++------------------ 9 files changed, 136 insertions(+), 72 deletions(-) create mode 100644 test/integration/whitespace.js diff --git a/classes/comparator.js b/classes/comparator.js index 2146c884..3d39c0ee 100644 --- a/classes/comparator.js +++ b/classes/comparator.js @@ -16,6 +16,7 @@ class Comparator { } } + comp = comp.trim().split(/\s+/).join(' ') debug('comparator', comp, options) this.options = options this.loose = !!options.loose @@ -133,7 +134,7 @@ class Comparator { module.exports = Comparator const parseOptions = require('../internal/parse-options') -const { re, t } = require('../internal/re') +const { safeRe: re, t } = require('../internal/re') const cmp = require('../functions/cmp') const debug = require('../internal/debug') const SemVer = require('./semver') diff --git a/classes/range.js b/classes/range.js index d9e866de..53c2540f 100644 --- a/classes/range.js +++ b/classes/range.js @@ -26,19 +26,26 @@ class Range { this.loose = !!options.loose this.includePrerelease = !!options.includePrerelease - // First, split based on boolean or || + // First reduce all whitespace as much as possible so we do not have to rely + // on potentially slow regexes like \s*. This is then stored and used for + // future error messages as well. this.raw = range - this.set = range + .trim() + .split(/\s+/) + .join(' ') + + // First, split on || + this.set = this.raw .split('||') // map the range to a 2d array of comparators - .map(r => this.parseRange(r.trim())) + .map(r => this.parseRange(r)) // throw out any comparator lists that are empty // this generally means that it was not a valid range, which is allowed // in loose mode, but will still throw if the WHOLE range is invalid. .filter(c => c.length) if (!this.set.length) { - throw new TypeError(`Invalid SemVer Range: ${range}`) + throw new TypeError(`Invalid SemVer Range: ${this.raw}`) } // if we have any that are not the null set, throw out null sets. @@ -64,9 +71,7 @@ class Range { format () { this.range = this.set - .map((comps) => { - return comps.join(' ').trim() - }) + .map((comps) => comps.join(' ').trim()) .join('||') .trim() return this.range @@ -77,8 +82,6 @@ class Range { } parseRange (range) { - range = range.trim() - // memoize range parsing for performance. // this is a very hot path, and fully deterministic. const memoOpts = @@ -105,9 +108,6 @@ class Range { // `^ 1.2.3` => `^1.2.3` range = range.replace(re[t.CARETTRIM], caretTrimReplace) - // normalize spaces - range = range.split(/\s+/).join(' ') - // At this point, the range is completely trimmed and // ready to be split into comparators. @@ -203,7 +203,7 @@ const Comparator = require('./comparator') const debug = require('../internal/debug') const SemVer = require('./semver') const { - re, + safeRe: re, t, comparatorTrimReplace, tildeTrimReplace, @@ -257,10 +257,13 @@ const isX = id => !id || id.toLowerCase() === 'x' || id === '*' // ~1.2.3, ~>1.2.3 --> >=1.2.3 <1.3.0-0 // ~1.2.0, ~>1.2.0 --> >=1.2.0 <1.3.0-0 // ~0.0.1 --> >=0.0.1 <0.1.0-0 -const replaceTildes = (comp, options) => - comp.trim().split(/\s+/).map((c) => { - return replaceTilde(c, options) - }).join(' ') +const replaceTildes = (comp, options) => { + return comp + .trim() + .split(/\s+/) + .map((c) => replaceTilde(c, options)) + .join(' ') +} const replaceTilde = (comp, options) => { const r = options.loose ? re[t.TILDELOOSE] : re[t.TILDE] @@ -298,10 +301,13 @@ const replaceTilde = (comp, options) => { // ^1.2.0 --> >=1.2.0 <2.0.0-0 // ^0.0.1 --> >=0.0.1 <0.0.2-0 // ^0.1.0 --> >=0.1.0 <0.2.0-0 -const replaceCarets = (comp, options) => - comp.trim().split(/\s+/).map((c) => { - return replaceCaret(c, options) - }).join(' ') +const replaceCarets = (comp, options) => { + return comp + .trim() + .split(/\s+/) + .map((c) => replaceCaret(c, options)) + .join(' ') +} const replaceCaret = (comp, options) => { debug('caret', comp, options) @@ -358,9 +364,10 @@ const replaceCaret = (comp, options) => { const replaceXRanges = (comp, options) => { debug('replaceXRanges', comp, options) - return comp.split(/\s+/).map((c) => { - return replaceXRange(c, options) - }).join(' ') + return comp + .split(/\s+/) + .map((c) => replaceXRange(c, options)) + .join(' ') } const replaceXRange = (comp, options) => { @@ -443,12 +450,15 @@ const replaceXRange = (comp, options) => { const replaceStars = (comp, options) => { debug('replaceStars', comp, options) // Looseness is ignored here. star is always as loose as it gets! - return comp.trim().replace(re[t.STAR], '') + return comp + .trim() + .replace(re[t.STAR], '') } const replaceGTE0 = (comp, options) => { debug('replaceGTE0', comp, options) - return comp.trim() + return comp + .trim() .replace(re[options.includePrerelease ? t.GTE0PRE : t.GTE0], '') } @@ -486,7 +496,7 @@ const hyphenReplace = incPr => ($0, to = `<=${to}` } - return (`${from} ${to}`).trim() + return `${from} ${to}`.trim() } const testSet = (set, version, options) => { diff --git a/classes/semver.js b/classes/semver.js index 99dbe82d..e1208fe6 100644 --- a/classes/semver.js +++ b/classes/semver.js @@ -1,6 +1,6 @@ const debug = require('../internal/debug') const { MAX_LENGTH, MAX_SAFE_INTEGER } = require('../internal/constants') -const { re, t } = require('../internal/re') +const { safeRe: re, t } = require('../internal/re') const parseOptions = require('../internal/parse-options') const { compareIdentifiers } = require('../internal/identifiers') diff --git a/functions/coerce.js b/functions/coerce.js index 2e01452f..febbff9c 100644 --- a/functions/coerce.js +++ b/functions/coerce.js @@ -1,6 +1,6 @@ const SemVer = require('../classes/semver') const parse = require('./parse') -const { re, t } = require('../internal/re') +const { safeRe: re, t } = require('../internal/re') const coerce = (version, options) => { if (version instanceof SemVer) { diff --git a/internal/re.js b/internal/re.js index ed88398a..f73ef1aa 100644 --- a/internal/re.js +++ b/internal/re.js @@ -4,16 +4,27 @@ exports = module.exports = {} // The actual regexps go on exports.re const re = exports.re = [] +const safeRe = exports.safeRe = [] const src = exports.src = [] const t = exports.t = {} let R = 0 const createToken = (name, value, isGlobal) => { + // Replace all greedy whitespace to prevent regex dos issues. These regex are + // used internally via the safeRe object since all inputs in this library get + // normalized first to trim and collapse all extra whitespace. The original + // regexes are exported for userland consumption and lower level usage. A + // future breaking change could export the safer regex only with a note that + // all input should have extra whitespace removed. + const safe = value + .split('\\s*').join('\\s{0,1}') + .split('\\s+').join('\\s') const index = R++ debug(name, index, value) t[name] = index src[index] = value re[index] = new RegExp(value, isGlobal ? 'g' : undefined) + safeRe[index] = new RegExp(safe, isGlobal ? 'g' : undefined) } // The following Regular Expressions can be used for tokenizing, diff --git a/package.json b/package.json index 204e0086..72077036 100644 --- a/package.json +++ b/package.json @@ -37,7 +37,7 @@ "range.bnf" ], "tap": { - "check-coverage": true, + "timeout": 30, "coverage-map": "map.js", "nyc-arg": [ "--exclude", diff --git a/test/integration/whitespace.js b/test/integration/whitespace.js new file mode 100644 index 00000000..eb9744d9 --- /dev/null +++ b/test/integration/whitespace.js @@ -0,0 +1,39 @@ +const { test } = require('tap') +const Range = require('../../classes/range') +const SemVer = require('../../classes/semver') +const Comparator = require('../../classes/comparator') +const validRange = require('../../ranges/valid') +const minVersion = require('../../ranges/min-version') +const minSatisfying = require('../../ranges/min-satisfying') +const maxSatisfying = require('../../ranges/max-satisfying') + +const s = (n = 500000) => ' '.repeat(n) + +test('regex dos via range whitespace', (t) => { + // a range with this much whitespace would take a few minutes to process if + // any redos susceptible regexes were used. there is a global tap timeout per + // file set in the package.json that will error if this test takes too long. + const r = `1.2.3 ${s()} <1.3.0` + + t.equal(new Range(r).range, '1.2.3 <1.3.0') + t.equal(validRange(r), '1.2.3 <1.3.0') + t.equal(minVersion(r).version, '1.2.3') + t.equal(minSatisfying(['1.2.3'], r), '1.2.3') + t.equal(maxSatisfying(['1.2.3'], r), '1.2.3') + + t.end() +}) + +test('semver version', (t) => { + const v = `${s(125)}1.2.3${s(125)}` + const tooLong = `${s()}1.2.3${s()}` + t.equal(new SemVer(v).version, '1.2.3') + t.throws(() => new SemVer(tooLong)) + t.end() +}) + +test('comparator', (t) => { + const c = `${s()}<${s()}1.2.3${s()}` + t.equal(new Comparator(c).value, '<1.2.3') + t.end() +}) diff --git a/test/internal/re.js b/test/internal/re.js index 1aad22ba..2851b325 100644 --- a/test/internal/re.js +++ b/test/internal/re.js @@ -1,5 +1,5 @@ const { test } = require('tap') -const { src, re } = require('../../internal/re') +const { src, re, safeRe } = require('../../internal/re') const semver = require('../../') test('has a list of src, re, and tokens', (t) => { @@ -13,5 +13,11 @@ test('has a list of src, re, and tokens', (t) => { for (const i in semver.tokens) { t.match(semver.tokens[i], Number, 'tokens are numbers') } + + safeRe.forEach(r => { + t.notMatch(r.source, '\\s+', 'safe regex do not contain greedy whitespace') + t.notMatch(r.source, '\\s*', 'safe regex do not contain greedy whitespace') + }) + t.end() }) diff --git a/test/map.js b/test/map.js index 8179e71e..5c36eb7d 100644 --- a/test/map.js +++ b/test/map.js @@ -1,49 +1,46 @@ const t = require('tap') +const { resolve, join, relative, extname, dirname, basename } = require('path') +const { statSync, readdirSync } = require('fs') +const map = require('../map.js') +const pkg = require('../package.json') -// ensure that the coverage map maps all coverage -const ignore = [ - '.git', - '.github', - '.commitlintrc.js', - '.eslintrc.js', - '.eslintrc.local.js', - 'node_modules', - 'coverage', - 'tap-snapshots', - 'test', - 'fixtures', -] +const ROOT = resolve(__dirname, '..') +const TEST = join(ROOT, 'test') +const IGNORE_DIRS = ['fixtures', 'integration'] -const { statSync, readdirSync } = require('fs') -const find = (folder, set = [], root = true) => { - const ent = readdirSync(folder) - set.push(...ent.filter(f => !ignore.includes(f) && /\.m?js$/.test(f)).map(f => folder + '/' + f)) - for (const e of ent.filter(f => !ignore.includes(f) && !/\.m?js$/.test(f))) { - if (statSync(folder + '/' + e).isDirectory()) { - find(folder + '/' + e, set, false) +const getFile = (f) => { + try { + if (statSync(f).isFile()) { + return extname(f) === '.js' ? [f] : [] } + } catch { + return [] } - if (!root) { - return - } - return set.map(f => f.slice(folder.length + 1) - .replace(/\\/g, '/')) - .sort((a, b) => a.localeCompare(b)) } -const { resolve } = require('path') -const root = resolve(__dirname, '..') +const walk = (item, res = []) => getFile(item) || readdirSync(item) + .map(f => join(item, f)) + .reduce((acc, f) => acc.concat(statSync(f).isDirectory() ? walk(f, res) : getFile(f)), []) + .filter(Boolean) -const sut = find(root) -const tests = find(root + '/test') -t.strictSame(sut, tests, 'test files should match system files') -const map = require('../map.js') +const walkAll = (items, relativeTo) => items + .reduce((acc, f) => acc.concat(walk(join(ROOT, f))), []) + .map((f) => relative(relativeTo, f)) + .sort() -for (const testFile of tests) { - t.test(testFile, t => { - t.plan(1) - // cast to an array, since map() can return a string or array - const systemFiles = [].concat(map(testFile)) - t.ok(systemFiles.some(sys => sut.includes(sys)), 'test covers a file') - }) -} +t.test('tests match system', t => { + const sut = walkAll([pkg.tap['coverage-map'], ...pkg.files], ROOT) + const tests = walkAll([basename(TEST)], TEST) + .filter(f => !IGNORE_DIRS.includes(dirname(f))) + + t.strictSame(sut, tests, 'test files should match system files') + + for (const f of tests) { + t.test(f, t => { + t.plan(1) + t.ok(sut.includes(map(f)), 'test covers a file') + }) + } + + t.end() +}) From 5c8efbcb3c6c125af10746d054faff13e8c33fbd Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Thu, 15 Jun 2023 12:21:30 -0700 Subject: [PATCH 48/50] fix: preserve build in raw after inc (#565) Fixes: #562 --- classes/semver.js | 6 ++++-- test/classes/semver.js | 11 +++++++++-- test/fixtures/increments.js | 1 + test/functions/inc.js | 10 +++++++++- 4 files changed, 23 insertions(+), 5 deletions(-) diff --git a/classes/semver.js b/classes/semver.js index e1208fe6..84e84590 100644 --- a/classes/semver.js +++ b/classes/semver.js @@ -291,8 +291,10 @@ class SemVer { default: throw new Error(`invalid increment argument: ${release}`) } - this.format() - this.raw = this.version + this.raw = this.format() + if (this.build.length) { + this.raw += `+${this.build.join('.')}` + } return this } } diff --git a/test/classes/semver.js b/test/classes/semver.js index 6be0ac8f..1e4d48f8 100644 --- a/test/classes/semver.js +++ b/test/classes/semver.js @@ -90,11 +90,18 @@ test('incrementing', t => { id, base, ]) => t.test(`${version} ${inc} ${id || ''}`.trim(), t => { - t.plan(1) if (expect === null) { + t.plan(1) t.throws(() => new SemVer(version, options).inc(inc, id, base)) } else { - t.equal(new SemVer(version, options).inc(inc, id, base).version, expect) + t.plan(2) + const incremented = new SemVer(version, options).inc(inc, id, base) + t.equal(incremented.version, expect) + if (incremented.build.length) { + t.equal(incremented.raw, `${expect}+${incremented.build.join('.')}`) + } else { + t.equal(incremented.raw, expect) + } } })) }) diff --git a/test/fixtures/increments.js b/test/fixtures/increments.js index 1fbc4bc9..65e9530b 100644 --- a/test/fixtures/increments.js +++ b/test/fixtures/increments.js @@ -123,4 +123,5 @@ module.exports = [ ['1.2.0-dev', 'preminor', '1.3.0-beta', false, 'beta', false], ['1.2.0-dev', 'prepatch', '1.2.1-dev', false, 'dev', false], ['1.2.0', 'prerelease', null, false, '', false], + ['1.0.0-rc.1+build.4', 'prerelease', '1.0.0-rc.2', 'rc', false], ] diff --git a/test/functions/inc.js b/test/functions/inc.js index e2d0768c..2f6f9bb4 100644 --- a/test/functions/inc.js +++ b/test/functions/inc.js @@ -14,7 +14,15 @@ test('increment versions test', (t) => { if (wanted) { parsed.inc(what, id, base) t.equal(parsed.version, wanted, `${cmd} object version updated`) - t.equal(parsed.raw, wanted, `${cmd} object raw field updated`) + if (parsed.build.length) { + t.equal( + parsed.raw, + `${wanted}+${parsed.build.join('.')}`, + `${cmd} object raw field updated with build` + ) + } else { + t.equal(parsed.raw, wanted, `${cmd} object raw field updated`) + } const preIncObject = JSON.stringify(parsedAsInput) inc(parsedAsInput, what, options, id, base) From 58c791f40ba8cf4be35a5ca6644353ecd6249edc Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Thu, 15 Jun 2023 12:21:55 -0700 Subject: [PATCH 49/50] fix: diff when detecting major change from prerelease (#566) Fixes #561 --- functions/diff.js | 51 +++++++++++++++++++++++++----------------- test/functions/diff.js | 2 ++ 2 files changed, 33 insertions(+), 20 deletions(-) diff --git a/functions/diff.js b/functions/diff.js index fafc11c4..fc224e30 100644 --- a/functions/diff.js +++ b/functions/diff.js @@ -13,6 +13,35 @@ const diff = (version1, version2) => { const highVersion = v1Higher ? v1 : v2 const lowVersion = v1Higher ? v2 : v1 const highHasPre = !!highVersion.prerelease.length + const lowHasPre = !!lowVersion.prerelease.length + + if (lowHasPre && !highHasPre) { + // Going from prerelease -> no prerelease requires some special casing + + // If the low version has only a major, then it will always be a major + // Some examples: + // 1.0.0-1 -> 1.0.0 + // 1.0.0-1 -> 1.1.1 + // 1.0.0-1 -> 2.0.0 + if (!lowVersion.patch && !lowVersion.minor) { + return 'major' + } + + // Otherwise it can be determined by checking the high version + + if (highVersion.patch) { + // anything higher than a patch bump would result in the wrong version + return 'patch' + } + + if (highVersion.minor) { + // anything higher than a minor bump would result in the wrong version + return 'minor' + } + + // bumping major/minor/patch all have same result + return 'major' + } // add the `pre` prefix if we are going to a prerelease version const prefix = highHasPre ? 'pre' : '' @@ -29,26 +58,8 @@ const diff = (version1, version2) => { return prefix + 'patch' } - // at this point we know stable versions match but overall versions are not equal, - // so either they are both prereleases, or the lower version is a prerelease - - if (highHasPre) { - // high and low are preleases - return 'prerelease' - } - - if (lowVersion.patch) { - // anything higher than a patch bump would result in the wrong version - return 'patch' - } - - if (lowVersion.minor) { - // anything higher than a minor bump would result in the wrong version - return 'minor' - } - - // bumping major/minor/patch all have same result - return 'major' + // high and low are preleases + return 'prerelease' } module.exports = diff diff --git a/test/functions/diff.js b/test/functions/diff.js index 74a80569..720e159b 100644 --- a/test/functions/diff.js +++ b/test/functions/diff.js @@ -26,6 +26,8 @@ test('diff versions test', (t) => { ['0.0.2-1', '1.0.0', 'major'], ['0.1.0-1', '0.1.0', 'minor'], ['1.0.0-1', '1.0.0', 'major'], + ['1.0.0-1', '1.1.1', 'major'], + ['1.0.0-1', '2.1.1', 'major'], ['1.0.1-1', '1.0.1', 'patch'], ['0.0.0-1', '0.0.0', 'major'], ['1.0.0-1', '2.0.0', 'major'], From e7b78de06eb14a7fa2075cedf9f167040d8d31af Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 15 Jun 2023 19:22:19 +0000 Subject: [PATCH 50/50] chore: release 7.5.2 --- .release-please-manifest.json | 2 +- CHANGELOG.md | 8 ++++++++ package.json | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.release-please-manifest.json b/.release-please-manifest.json index fbde66cb..0be3c6ce 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "7.5.1" + ".": "7.5.2" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 99f8e567..c08c960c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## [7.5.2](https://github.com/npm/node-semver/compare/v7.5.1...v7.5.2) (2023-06-15) + +### Bug Fixes + +* [`58c791f`](https://github.com/npm/node-semver/commit/58c791f40ba8cf4be35a5ca6644353ecd6249edc) [#566](https://github.com/npm/node-semver/pull/566) diff when detecting major change from prerelease (#566) (@lukekarrys) +* [`5c8efbc`](https://github.com/npm/node-semver/commit/5c8efbcb3c6c125af10746d054faff13e8c33fbd) [#565](https://github.com/npm/node-semver/pull/565) preserve build in raw after inc (#565) (@lukekarrys) +* [`717534e`](https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441) [#564](https://github.com/npm/node-semver/pull/564) better handling of whitespace (#564) (@lukekarrys) + ## [7.5.1](https://github.com/npm/node-semver/compare/v7.5.0...v7.5.1) (2023-05-12) ### Bug Fixes diff --git a/package.json b/package.json index 72077036..7d0aff3c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "semver", - "version": "7.5.1", + "version": "7.5.2", "description": "The semantic version parser used by npm.", "main": "index.js", "scripts": {