mirror of
https://github.com/gradle/actions.git
synced 2026-06-10 05:37:39 +00:00
Daz DeBoer
9e2c1cc01d
## What Adds `overrides` to `sources/package.json` to force patched versions of transitively-pulled packages flagged by Dependabot, plus one moderate issue surfaced by `npm audit`: | Package | Severity | Patched to | Pulled in via | |---|---|---|---| | `shell-quote` | Critical | 1.8.4 | `npm-run-all` | | `fast-xml-builder` | High | 1.2.0 | `@actions/artifact` → `@azure/storage-blob` → `@azure/core-xml` → `fast-xml-parser` | | `fast-xml-parser` | Medium | 5.8.0 | `@actions/artifact` → `@azure/storage-blob` → `@azure/core-xml` | | `brace-expansion` | Moderate | 5.0.6 | `eslint` | ## Notes - All four are **transitive** dependencies, so they're pinned via the existing `overrides` block rather than direct version bumps. - The patched versions satisfy the parents' declared ranges (e.g. `@azure/core-xml` requires `fast-xml-parser ^5.0.7`; `fast-xml-parser` 5.8.0 requires `fast-xml-builder ^1.2.0`), so nothing is force-downgraded or broken. - `brace-expansion` is **scoped under `eslint`** rather than a blanket override — most copies in the tree were already on the patched 5.0.6, and only `eslint`'s was stuck at the vulnerable 5.0.5. A global override would have forced unrelated 1.x/2.x copies up a major version. ## Verification - `npm audit` → **0 vulnerabilities** - `npm ci` → clean install, 0 vulnerabilities - `npm test` → **352 passed, 14 suites** The root `dist/` directory is intentionally left for the CI workflow to update. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
85 lines
3.6 KiB
JSON
85 lines
3.6 KiB
JSON
{
|
|
"name": "gradle-actions",
|
|
"version": "1.0.0",
|
|
"private": true,
|
|
"type": "module",
|
|
"description": "Execute Gradle Build",
|
|
"scripts": {
|
|
"prettier-write": "prettier --write 'src/**/*.ts'",
|
|
"prettier-check": "prettier --check 'src/**/*.ts'",
|
|
"lint": "eslint 'src/**/*.ts'",
|
|
"compile-dependency-submission-main": "esbuild src/actions/dependency-submission/main.ts --bundle --platform=node --target=node24 --format=esm --banner:js=\"import {createRequire} from 'module';const require=createRequire(import.meta.url);\" --outfile=dist/dependency-submission/main/index.js --sourcemap --minify",
|
|
"compile-dependency-submission-post": "esbuild src/actions/dependency-submission/post.ts --bundle --platform=node --target=node24 --format=esm --banner:js=\"import {createRequire} from 'module';const require=createRequire(import.meta.url);\" --outfile=dist/dependency-submission/post/index.js --sourcemap --minify",
|
|
"compile-setup-gradle-main": "esbuild src/actions/setup-gradle/main.ts --bundle --platform=node --target=node24 --format=esm --banner:js=\"import {createRequire} from 'module';const require=createRequire(import.meta.url);\" --outfile=dist/setup-gradle/main/index.js --sourcemap --minify",
|
|
"compile-setup-gradle-post": "esbuild src/actions/setup-gradle/post.ts --bundle --platform=node --target=node24 --format=esm --banner:js=\"import {createRequire} from 'module';const require=createRequire(import.meta.url);\" --outfile=dist/setup-gradle/post/index.js --sourcemap --minify",
|
|
"compile-wrapper-validation-main": "esbuild src/actions/wrapper-validation/main.ts --bundle --platform=node --target=node24 --format=esm --banner:js=\"import {createRequire} from 'module';const require=createRequire(import.meta.url);\" --outfile=dist/wrapper-validation/main/index.js --sourcemap --minify",
|
|
"compile": "npm-run-all --parallel compile-*",
|
|
"check": "npm-run-all --parallel prettier-check lint",
|
|
"format": "npm-run-all --parallel prettier-write lint",
|
|
"test": "NODE_OPTIONS=--experimental-vm-modules jest",
|
|
"build": "npm run format && npm run compile",
|
|
"all": "npm run build && npm test"
|
|
},
|
|
"repository": {
|
|
"type": "git",
|
|
"url": "git+https://github.com/gradle/actions.git"
|
|
},
|
|
"keywords": [
|
|
"github",
|
|
"actions",
|
|
"github-actions",
|
|
"gradle"
|
|
],
|
|
"license": "MIT",
|
|
"engines": {
|
|
"node": ">=24.0.0"
|
|
},
|
|
"dependencies": {
|
|
"@actions/artifact": "6.2.1",
|
|
"@actions/cache": "6.0.1",
|
|
"@actions/core": "3.0.1",
|
|
"@actions/exec": "3.0.0",
|
|
"@actions/github": "9.1.1",
|
|
"@actions/glob": "0.7.0",
|
|
"@actions/http-client": "4.0.1",
|
|
"@actions/tool-cache": "4.0.0",
|
|
"@octokit/webhooks-types": "7.6.1",
|
|
"cheerio": "1.2.0",
|
|
"semver": "7.8.3",
|
|
"string-argv": "0.3.2",
|
|
"unhomoglyph": "1.0.6",
|
|
"which": "7.0.0"
|
|
},
|
|
"devDependencies": {
|
|
"@jest/globals": "30.4.1",
|
|
"@types/jest": "30.0.0",
|
|
"@types/node": "25.9.2",
|
|
"@types/semver": "7.7.1",
|
|
"@types/unzipper": "0.10.11",
|
|
"@types/which": "3.0.4",
|
|
"@typescript-eslint/eslint-plugin": "8.61.0",
|
|
"dedent": "1.7.2",
|
|
"esbuild": "0.28.0",
|
|
"eslint": "10.4.1",
|
|
"globals": "17.6.0",
|
|
"jest": "30.4.2",
|
|
"nock": "15.0.0",
|
|
"npm-run-all": "4.1.5",
|
|
"prettier": "3.8.4",
|
|
"ts-jest": "29.4.11",
|
|
"typescript": "5.9.3"
|
|
},
|
|
"overrides": {
|
|
"@azure/logger": "1.1.4",
|
|
"@octokit/request": "8.4.1",
|
|
"@octokit/request-error": "5.1.1",
|
|
"@octokit/plugin-paginate-rest": "9.2.2",
|
|
"shell-quote": "1.8.4",
|
|
"fast-xml-parser": "5.8.0",
|
|
"fast-xml-builder": "1.2.0",
|
|
"eslint": {
|
|
"brace-expansion": "5.0.6"
|
|
}
|
|
}
|
|
}
|