From 613939dfc68e7d7e88149dfa168432d0ee1e1085 Mon Sep 17 00:00:00 2001 From: Dhirender Choudhary Date: Thu, 9 Jul 2026 11:49:14 +0530 Subject: [PATCH] Fix Semgrep policy findings --- .github/dependabot.yml | 2 ++ .github/workflows/pr-checks.yml | 52 +++++++++++++-------------- .github/workflows/release.yml | 12 +++---- .github/workflows/stale-prs.yml | 4 +-- .github/workflows/update-badges.yml | 6 ++-- .github/workflows/update-homebrew.yml | 2 +- .github/workflows/update-nix.yml | 4 +-- .npmrc | 1 + pnpm-workspace.yaml | 4 +++ 9 files changed, 47 insertions(+), 40 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1472e298..4c07f38b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,8 @@ updates: directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 7 ignore: # Managed via pnpm overrides in package.json - dependency-name: "jws" diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 31a93281..e203ce04 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -17,16 +17,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: '22' cache: 'pnpm' @@ -42,16 +42,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: '22' cache: 'pnpm' @@ -67,16 +67,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: '22' cache: 'pnpm' @@ -92,16 +92,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: '22' cache: 'pnpm' @@ -124,7 +124,7 @@ jobs: coverage: ${{ steps.coverage.outputs.coverage }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 @@ -132,10 +132,10 @@ jobs: set-safe-directory: false - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: '22' cache: 'pnpm' @@ -193,16 +193,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: '22' cache: 'pnpm' @@ -234,16 +234,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: '22' cache: 'pnpm' @@ -269,7 +269,7 @@ jobs: image: semgrep/semgrep steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 @@ -291,14 +291,14 @@ jobs: language: ['javascript'] # CodeQL analyzes both JavaScript and TypeScript together steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 # Initializes the CodeQL tools for scanning - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@641a925cfafe92d0fdf8b239ba4053e3f8d99d6d with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file @@ -309,8 +309,8 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java) # If this step fails, then you should remove it and run the build manually - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@641a925cfafe92d0fdf8b239ba4053e3f8d99d6d # Perform CodeQL Analysis - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 \ No newline at end of file + uses: github/codeql-action/analyze@641a925cfafe92d0fdf8b239ba4053e3f8d99d6d \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b1446aaf..0e43c46a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,10 +18,10 @@ jobs: npm-version: ${{ steps.version-check.outputs.npm-version }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: '22' @@ -51,16 +51,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: '22' registry-url: 'https://registry.npmjs.org' - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa - name: Install dependencies (including VS Code extension) run: pnpm install --frozen-lockfile @@ -127,7 +127,7 @@ jobs: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Create GitHub Release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/stale-prs.yml b/.github/workflows/stale-prs.yml index 6708f4b9..587aa488 100644 --- a/.github/workflows/stale-prs.yml +++ b/.github/workflows/stale-prs.yml @@ -34,14 +34,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout (for CODEOWNERS) - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: sparse-checkout: | .github/CODEOWNERS sparse-checkout-cone-mode: false - name: Process open pull requests - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b with: script: | const fs = require('fs'); diff --git a/.github/workflows/update-badges.yml b/.github/workflows/update-badges.yml index 5d56ace3..9df750f8 100644 --- a/.github/workflows/update-badges.yml +++ b/.github/workflows/update-badges.yml @@ -14,15 +14,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: token: ${{ secrets.PAT_TOKEN }} - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: '22' cache: 'pnpm' diff --git a/.github/workflows/update-homebrew.yml b/.github/workflows/update-homebrew.yml index d1daff74..9971a632 100644 --- a/.github/workflows/update-homebrew.yml +++ b/.github/workflows/update-homebrew.yml @@ -28,7 +28,7 @@ jobs: runs-on: macos-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: ref: main fetch-depth: 0 diff --git a/.github/workflows/update-nix.yml b/.github/workflows/update-nix.yml index ebaa31a7..c0aed45b 100644 --- a/.github/workflows/update-nix.yml +++ b/.github/workflows/update-nix.yml @@ -34,14 +34,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: ref: main fetch-depth: 0 token: ${{ secrets.PAT_TOKEN }} - name: Install Nix - uses: cachix/install-nix-action@v26 + uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c with: nix_path: nixpkgs=channel:nixos-unstable extra_nix_config: | diff --git a/.npmrc b/.npmrc index e67cb294..d9a7df67 100644 --- a/.npmrc +++ b/.npmrc @@ -6,3 +6,4 @@ # legacy-peer-deps restores npm's pre-v7 behaviour so those installs succeed. # pnpm ignores this key, so our own tooling is unaffected. legacy-peer-deps=true +min-release-age=7 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 2b57339c..78a595d8 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -2,6 +2,10 @@ packages: - . - plugins/* +minimumReleaseAge: 10080 +blockExoticSubdeps: true +trustPolicy: no-downgrade + overrides: tmp: ">=0.2.6"