funkemunky/actions
1
0
Fork 0
mirror of https://github.com/gradle/actions.git synced 2026-06-11 14:10:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8b6cdb5f580ff6b19af985e0fa90cd86daf1d3e1
actions/sources/package.json
T
Daz DeBoer 9901393644 Remove unnecessary dependency overrides (#981) 
Removes all `overrides` from `sources/package.json`. Two commits, each
independently verified:

## 1. Remove redundant security overrides

The `shell-quote`, `fast-xml-parser`, `fast-xml-builder` and `eslint >
brace-expansion` overrides added in #980 are **no-ops**: npm's natural
resolution already lands on the exact same patched versions, so they
upgrade nothing. The vulnerabilities were actually resolved by
regenerating the lockfile, not by the overrides.

## 2. Remove obsolete Octokit/Azure overrides

`@azure/logger`, `@octokit/request`, `@octokit/request-error` and
`@octokit/plugin-paginate-rest` were point-in-time pins added to
force-upgrade then-vulnerable transitive deps (5d947f45, #601). The
parent packages (`@actions/github`, `@actions/artifact`) have since
advanced and now resolve **newer, non-vulnerable** versions naturally —
so the overrides only pinned stale versions:

| Package | Pinned (override) | Natural |
|---|---|---|
| `@octokit/request` | 8.4.1 | 10.0.10 |
| `@octokit/request-error` | 5.1.1 | 7.1.0 |
| `@octokit/plugin-paginate-rest` | 9.2.2 | 14.0.0 |
| `@azure/logger` | 1.1.4 | 1.3.0 |

## Verification

- `npm audit` → **0 vulnerabilities**
- `./build` → passes
- `npm test` → **352/352 passing**

### Note on a flaky test
While testing I saw the `wrapper-validation` test *"fetches wrapper jar
checksums for snapshots"* intermittently fail (1–2 failures, then pass
on retry). It is a **pre-existing flaky network test** — it makes ~175
live calls to Gradle services and sits right at its 60s timeout. Its
code path imports neither Octokit nor Azure (`src/wrapper-validation/`
uses only `@actions/http-client`/`nock`/`cheerio`), so it is unrelated
to these overrides; the `nock`/`@mswjs/interceptors`/`undici` versions
are identical before and after.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-10 08:14:07 -06:00

73 lines
3.3 KiB
JSON
Raw Blame History

{
"name": "gradle-actions",
"version": "1.0.0",
"private": true,
"type": "module",
"description": "Execute Gradle Build",
"scripts": {
"prettier-write": "prettier --write 'src/**/*.ts'",
"prettier-check": "prettier --check 'src/**/*.ts'",
"lint": "eslint 'src/**/*.ts'",
"compile-dependency-submission-main": "esbuild src/actions/dependency-submission/main.ts --bundle --platform=node --target=node24 --format=esm --banner:js=\"import {createRequire} from 'module';const require=createRequire(import.meta.url);\" --outfile=dist/dependency-submission/main/index.js --sourcemap --minify",
"compile-dependency-submission-post": "esbuild src/actions/dependency-submission/post.ts --bundle --platform=node --target=node24 --format=esm --banner:js=\"import {createRequire} from 'module';const require=createRequire(import.meta.url);\" --outfile=dist/dependency-submission/post/index.js --sourcemap --minify",
"compile-setup-gradle-main": "esbuild src/actions/setup-gradle/main.ts --bundle --platform=node --target=node24 --format=esm --banner:js=\"import {createRequire} from 'module';const require=createRequire(import.meta.url);\" --outfile=dist/setup-gradle/main/index.js --sourcemap --minify",
"compile-setup-gradle-post": "esbuild src/actions/setup-gradle/post.ts --bundle --platform=node --target=node24 --format=esm --banner:js=\"import {createRequire} from 'module';const require=createRequire(import.meta.url);\" --outfile=dist/setup-gradle/post/index.js --sourcemap --minify",
"compile-wrapper-validation-main": "esbuild src/actions/wrapper-validation/main.ts --bundle --platform=node --target=node24 --format=esm --banner:js=\"import {createRequire} from 'module';const require=createRequire(import.meta.url);\" --outfile=dist/wrapper-validation/main/index.js --sourcemap --minify",
"compile": "npm-run-all --parallel compile-*",
"check": "npm-run-all --parallel prettier-check lint",
"format": "npm-run-all --parallel prettier-write lint",
"test": "NODE_OPTIONS=--experimental-vm-modules jest",
"build": "npm run format && npm run compile",
"all": "npm run build && npm test"
},
"repository": {
"type": "git",
"url": "git+https://github.com/gradle/actions.git"
},
"keywords": [
"github",
"actions",
"github-actions",
"gradle"
],
"license": "MIT",
"engines": {
"node": ">=24.0.0"
},
"dependencies": {
"@actions/artifact": "6.2.1",
"@actions/cache": "6.0.1",
"@actions/core": "3.0.1",
"@actions/exec": "3.0.0",
"@actions/github": "9.1.1",
"@actions/glob": "0.7.0",
"@actions/http-client": "4.0.1",
"@actions/tool-cache": "4.0.0",
"@octokit/webhooks-types": "7.6.1",
"cheerio": "1.2.0",
"semver": "7.8.3",
"string-argv": "0.3.2",
"unhomoglyph": "1.0.6",
"which": "7.0.0"
},
"devDependencies": {
"@jest/globals": "30.4.1",
"@types/jest": "30.0.0",
"@types/node": "25.9.2",
"@types/semver": "7.7.1",
"@types/unzipper": "0.10.11",
"@types/which": "3.0.4",
"@typescript-eslint/eslint-plugin": "8.61.0",
"dedent": "1.7.2",
"esbuild": "0.28.0",
"eslint": "10.4.1",
"globals": "17.6.0",
"jest": "30.4.2",
"nock": "15.0.0",
"npm-run-all": "4.1.5",
"prettier": "3.8.4",
"ts-jest": "29.4.11",
"typescript": "5.9.3"
}
}
Reference in New Issue View Git Blame Copy Permalink