From 2456b5066b49006bd38234062d6cf2c8d9880c13 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 5 Feb 2025 03:23:56 +0000 Subject: [PATCH 1/3] Bump semver from 7.7.0 to 7.7.1 Bumps [semver](https://github.com/npm/node-semver) from 7.7.0 to 7.7.1. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v7.7.0...v7.7.1) --- updated-dependencies: - dependency-name: semver dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 05fd17f..a188163 100644 --- a/package-lock.json +++ b/package-lock.json @@ -10,7 +10,7 @@ "@actions/core": "^1.11.1", "@actions/http-client": "^2.2.3", "@actions/tool-cache": "^2.0.2", - "semver": "^7.7.0" + "semver": "^7.7.1" }, "devDependencies": { "@actions/io": "^1.1.3", @@ -5392,9 +5392,9 @@ "license": "MIT" }, "node_modules/semver": { - "version": "7.7.0", - "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.0.tgz", - "integrity": "sha512-DrfFnPzblFmNrIZzg5RzHegbiRWg7KMR7btwi2yjHwx06zsUbO5g613sVwEV7FTwmzJu+Io0lJe2GJ3LxqpvBQ==", + "version": "7.7.1", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.1.tgz", + "integrity": "sha512-hlq8tAfn0m/61p4BVRcPzIGr6LKiMwo4VM6dGi6pt4qcRkmNzTcWq6eCEjEh+qXjkMDvPlOFFSGwQjoEa6gyMA==", "license": "ISC", "bin": { "semver": "bin/semver.js" diff --git a/package.json b/package.json index cbb9150..5a79681 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ "@actions/core": "^1.11.1", "@actions/http-client": "^2.2.3", "@actions/tool-cache": "^2.0.2", - "semver": "^7.7.0" + "semver": "^7.7.1" }, "devDependencies": { "@actions/io": "^1.1.3", From ed1d58f74a6bcba1ce13364762e27284b87d29e9 Mon Sep 17 00:00:00 2001 From: per1234 Date: Tue, 4 Feb 2025 19:38:08 -0800 Subject: [PATCH 2/3] Repackage action following `semver` bump GitHub downloads each action run in a workflow during runtime and executes it as a complete package of code before you can use workflow commands like run to interact with the runner machine. This means that we must provide all JavaScript package dependencies as part of the distributed action in order for it to be usable in workflows. A naive approach to doing this is checking in the `node_modules` folder. However, this approach results in a huge amount of frequently changing external content being included in the repository, much of which is not even part of the executed program. A far better approach is to use the excellent ncc tool to compile the program, including all the relevant code from the dependencies, into a single file. We use a "continuous packaging" approach, where the packaged action code that is generated via ncc is always kept in sync with the development source code and dependencies. This allows a beta version of the action to be easily used in workflows by beta testers or those who need changes not in the release simply by using the name of the branch as the action ref (e.g., `uses: arduino/arduino-lint-action@main` will cause the version of the action from the tip of the `main` branch to be used by the workflow run). The update of the package dependency results in a change to the packaged code, so the packaging is here updated accordingly. --- dist/index.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/dist/index.js b/dist/index.js index 27ed930..eff46cd 100644 --- a/dist/index.js +++ b/dist/index.js @@ -8216,7 +8216,7 @@ const testSet = (set, version, options) => { const debug = __nccwpck_require__(1159) const { MAX_LENGTH, MAX_SAFE_INTEGER } = __nccwpck_require__(5101) -const { safeRe: re, t } = __nccwpck_require__(5471) +const { safeRe: re, safeSrc: src, t } = __nccwpck_require__(5471) const parseOptions = __nccwpck_require__(356) const { compareIdentifiers } = __nccwpck_require__(3348) @@ -8398,7 +8398,8 @@ class SemVer { } // Avoid an invalid semver results if (identifier) { - const match = `-${identifier}`.match(this.options.loose ? re[t.PRERELEASELOOSE] : re[t.PRERELEASE]) + const r = new RegExp(`^${this.options.loose ? src[t.PRERELEASELOOSE] : src[t.PRERELEASE]}$`) + const match = `-${identifier}`.match(r) if (!match || match[1] !== identifier) { throw new Error(`invalid identifier: ${identifier}`) } @@ -9255,6 +9256,7 @@ exports = module.exports = {} const re = exports.re = [] const safeRe = exports.safeRe = [] const src = exports.src = [] +const safeSrc = exports.safeSrc = [] const t = exports.t = {} let R = 0 @@ -9287,6 +9289,7 @@ const createToken = (name, value, isGlobal) => { debug(name, index, value) t[name] = index src[index] = value + safeSrc[index] = safe re[index] = new RegExp(value, isGlobal ? 'g' : undefined) safeRe[index] = new RegExp(safe, isGlobal ? 'g' : undefined) } From 78e23fdf47c5de15c6f104780735739fc752ab90 Mon Sep 17 00:00:00 2001 From: per1234 Date: Tue, 4 Feb 2025 19:38:27 -0800 Subject: [PATCH 3/3] Update dependency license metadata cache for `semver` bump --- .licenses/npm/{semver-7.7.0.dep.yml => semver-7.7.1.dep.yml} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename .licenses/npm/{semver-7.7.0.dep.yml => semver-7.7.1.dep.yml} (97%) diff --git a/.licenses/npm/semver-7.7.0.dep.yml b/.licenses/npm/semver-7.7.1.dep.yml similarity index 97% rename from .licenses/npm/semver-7.7.0.dep.yml rename to .licenses/npm/semver-7.7.1.dep.yml index af576aa..3194cf4 100644 --- a/.licenses/npm/semver-7.7.0.dep.yml +++ b/.licenses/npm/semver-7.7.1.dep.yml @@ -1,8 +1,9 @@ --- name: semver -version: 7.7.0 +version: 7.7.1 type: npm summary: The semantic version parser used by npm. +homepage: license: isc licenses: - sources: LICENSE