renovate 43.120.1 → 43.120.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/workers/repository/init/vulnerability.js +5 -12
  2. package/dist/workers/repository/init/vulnerability.js.map +1 -1
  3. package/package.json +1 -1
  4. package/renovate-schema.json +2 -2
package/dist/workers/repository/init/vulnerability.js CHANGED
@@ -10,7 +10,6 @@ import { NugetDatasource } from "../../../modules/datasource/nuget/index.js";
10
10
  import { id as id$2 } from "../../../modules/versioning/semver/index.js";
11
11
  import "../../../modules/versioning/npm/index.js";
12
12
  import { id as id$3 } from "../../../modules/versioning/ruby/index.js";
13
- import { GoDatasource } from "../../../modules/datasource/go/index.js";
14
13
  import { id as id$4 } from "../../../modules/versioning/composer/index.js";
15
14
  import { get } from "../../../modules/versioning/index.js";
16
15
  import { getHighestVulnerabilitySeverity } from "../../../util/vulnerability/utils.js";
@@ -51,27 +50,23 @@ async function detectVulnerabilityAlerts(input) {
51
50
  }
52
51
  const datasource = githubEcosystemToDatasource[alert.security_vulnerability.package.ecosystem];
53
52
  const depName = alert.security_vulnerability.package.name;
54
- const fileName = alert.dependency.manifest_path;
55
- const fileType = fileName.split("/").pop();
56
53
  const firstPatchedVersion = alert.security_vulnerability.first_patched_version.identifier;
57
54
  const advisory = alert.security_advisory;
58
- combinedAlerts[fileName] ??= {};
59
- combinedAlerts[fileName][datasource] ??= {};
60
- combinedAlerts[fileName][datasource][depName] ??= { advisories: [] };
61
- const alertDetails = combinedAlerts[fileName][datasource][depName];
55
+ combinedAlerts[datasource] ??= {};
56
+ combinedAlerts[datasource][depName] ??= { advisories: [] };
57
+ const alertDetails = combinedAlerts[datasource][depName];
62
58
  alertDetails.advisories.push(advisory);
63
59
  alertDetails.severity = getHighestVulnerabilitySeverity({ vulnerabilitySeverity: alertDetails.severity }, { vulnerabilitySeverity: alert.security_vulnerability.severity });
64
60
  const versioningApi = get(versionings[datasource]);
65
61
  if (versioningApi.isVersion(firstPatchedVersion)) {
66
62
  if (!alertDetails.firstPatchedVersion || versioningApi.isGreaterThan(firstPatchedVersion, alertDetails.firstPatchedVersion)) alertDetails.firstPatchedVersion = firstPatchedVersion;
67
63
  } else logger.debug("Invalid firstPatchedVersion: " + firstPatchedVersion);
68
- alertDetails.fileType = fileType;
69
64
  } catch (err) {
70
65
  logger.warn({ err }, "Error parsing vulnerability alert");
71
66
  }
72
67
  const alertPackageRules = [];
73
68
  config.remediations = {};
74
- for (const [fileName, files] of Object.entries(combinedAlerts)) for (const [datasource, dependencies] of Object.entries(files)) for (const [depName, val] of Object.entries(dependencies)) {
69
+ for (const [datasource, dependencies] of Object.entries(combinedAlerts)) for (const [depName, val] of Object.entries(dependencies)) {
75
70
  if (!val.firstPatchedVersion) continue;
76
71
  let prBodyNotes = [];
77
72
  try {
@@ -98,11 +93,9 @@ async function detectVulnerabilityAlerts(input) {
98
93
  } catch (err) /* istanbul ignore next */ {
99
94
  logger.warn({ err }, "Error generating vulnerability PR notes");
100
95
  }
101
- const matchFileNames = datasource === GoDatasource.id ? [fileName.replace("go.sum", "go.mod")] : [fileName];
102
96
  let matchRule = {
103
97
  matchDatasources: [datasource],
104
- matchPackageNames: [depName],
105
- matchFileNames
98
+ matchPackageNames: [depName]
106
99
  };
107
100
  let matchCurrentVersion = `< ${val.firstPatchedVersion}`;
108
101
  if (datasource === MavenDatasource.id || datasource === NugetDatasource.id) matchCurrentVersion = `(,${val.firstPatchedVersion})`;
package/dist/workers/repository/init/vulnerability.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"vulnerability.js","names":["semverVersioning.id","composerVersioning.id","mavenVersioning.id","pep440Versioning.id","rubyVersioning.id","allVersioning.get"],"sources":["../../../../lib/workers/repository/init/vulnerability.ts"],"sourcesContent":["import is from '@sindresorhus/is';\nimport type { PackageRule, RenovateConfig } from '../../../config/types.ts';\nimport { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages.ts';\nimport { logger } from '../../../logger/index.ts';\nimport { GithubTagsDatasource } from '../../../modules/datasource/github-tags/index.ts';\nimport { GoDatasource } from '../../../modules/datasource/go/index.ts';\nimport { MavenDatasource } from '../../../modules/datasource/maven/index.ts';\nimport { NugetDatasource } from '../../../modules/datasource/nuget/index.ts';\nimport type { SecurityAdvisory } from '../../../modules/platform/github/schema.ts';\nimport { platform } from '../../../modules/platform/index.ts';\nimport * as composerVersioning from '../../../modules/versioning/composer/index.ts';\nimport * as allVersioning from '../../../modules/versioning/index.ts';\nimport * as mavenVersioning from '../../../modules/versioning/maven/index.ts';\nimport * as npmVersioning from '../../../modules/versioning/npm/index.ts';\nimport * as pep440Versioning from '../../../modules/versioning/pep440/index.ts';\nimport * as rubyVersioning from '../../../modules/versioning/ruby/index.ts';\nimport * as semverVersioning from '../../../modules/versioning/semver/index.ts';\nimport { sanitizeMarkdown } from '../../../util/markdown.ts';\nimport { escapeRegExp } from '../../../util/regex.ts';\nimport { titleCase } from '../../../util/string.ts';\nimport { githubEcosystemToDatasource } from '../../../util/vulnerability/ecosystem.ts';\nimport {\n getFixedVersionConstraint,\n getHighestVulnerabilitySeverity,\n} from '../../../util/vulnerability/utils.ts';\n\ntype Datasource = string;\ntype DependencyName = string;\ntype FileName = string;\n\ntype CombinedAlert = Record<\n FileName,\n Record<\n Datasource,\n Record<\n DependencyName,\n {\n advisories: SecurityAdvisory[];\n fileType?: string;\n firstPatchedVersion?: string;\n severity?: string;\n }\n >\n >\n>;\n\nexport function getFixedVersionByDatasource(\n fixedVersion: string,\n datasource: string,\n): string {\n return getFixedVersionConstraint(fixedVersion, datasource);\n}\n\n// TODO can return `null` and `undefined` (#22198)\nexport async function detectVulnerabilityAlerts(\n input: RenovateConfig,\n): Promise<RenovateConfig> {\n if (!input?.vulnerabilityAlerts) {\n return input;\n }\n if (input.vulnerabilityAlerts.enabled === false) {\n logger.debug('Vulnerability alerts are disabled');\n return input;\n }\n const alerts = await platform.getVulnerabilityAlerts?.();\n if (!alerts?.length) {\n logger.debug('No vulnerability alerts found');\n if (input.vulnerabilityAlertsOnly) {\n throw new Error(NO_VULNERABILITY_ALERTS);\n }\n return input;\n }\n const config = { ...input };\n const versionings: Record<string, string> = {\n 'github-tags': semverVersioning.id,\n go: semverVersioning.id,\n packagist: composerVersioning.id,\n maven: mavenVersioning.id,\n npm: npmVersioning.id,\n nuget: semverVersioning.id,\n pypi: pep440Versioning.id,\n rubygems: rubyVersioning.id,\n };\n const combinedAlerts: CombinedAlert = {};\n for (const alert of alerts) {\n try {\n if (alert.dismissed_reason) {\n continue;\n }\n if (!alert.security_vulnerability?.first_patched_version) {\n logger.debug(\n { alert },\n 'Vulnerability alert has no firstPatchedVersion - skipping',\n );\n continue;\n }\n const datasource =\n githubEcosystemToDatasource[\n alert.security_vulnerability.package.ecosystem\n ];\n const depName = alert.security_vulnerability.package.name;\n const fileName = alert.dependency.manifest_path;\n const fileType = fileName.split('/').pop();\n const firstPatchedVersion =\n alert.security_vulnerability.first_patched_version.identifier;\n const advisory = alert.security_advisory;\n\n combinedAlerts[fileName] ??= {};\n combinedAlerts[fileName][datasource] ??= {};\n combinedAlerts[fileName][datasource][depName] ??= {\n advisories: [],\n };\n const alertDetails = combinedAlerts[fileName][datasource][depName];\n alertDetails.advisories.push(advisory);\n alertDetails.severity = getHighestVulnerabilitySeverity(\n { vulnerabilitySeverity: alertDetails.severity },\n { vulnerabilitySeverity: alert.security_vulnerability.severity },\n );\n const versioningApi = allVersioning.get(versionings[datasource]);\n if (versioningApi.isVersion(firstPatchedVersion)) {\n if (\n !alertDetails.firstPatchedVersion ||\n versioningApi.isGreaterThan(\n firstPatchedVersion,\n alertDetails.firstPatchedVersion,\n )\n ) {\n alertDetails.firstPatchedVersion = firstPatchedVersion;\n }\n } else {\n logger.debug('Invalid firstPatchedVersion: ' + firstPatchedVersion);\n }\n alertDetails.fileType = fileType;\n } catch (err) {\n logger.warn({ err }, 'Error parsing vulnerability alert');\n }\n }\n const alertPackageRules: PackageRule[] = [];\n config.remediations = {} as never;\n for (const [fileName, files] of Object.entries(combinedAlerts)) {\n for (const [datasource, dependencies] of Object.entries(files)) {\n for (const [depName, val] of Object.entries(dependencies)) {\n if (!val.firstPatchedVersion) {\n continue;\n }\n\n let prBodyNotes: string[] = [];\n try {\n prBodyNotes = ['### GitHub Vulnerability Alerts'].concat(\n val.advisories.map((advisory) => {\n const identifiers = advisory.identifiers;\n const description = advisory.description;\n let content = '#### ';\n let heading: string;\n if (identifiers.some((id) => id.type === 'CVE')) {\n heading = identifiers\n .filter((id) => id.type === 'CVE')\n .map((id) => id.value)\n .join(' / ');\n } else {\n heading = identifiers.map((id) => id.value).join(' / ');\n }\n if (advisory.references?.length) {\n heading = `[${heading}](${advisory.references[0].url})`;\n }\n content += heading;\n content += '\\n\\n';\n\n content += sanitizeMarkdown(description);\n\n content += '\\n\\n##### Severity\\n';\n const { cvss_v4, cvss_v3 } = advisory.cvss_severities ?? {};\n const cvss = cvss_v4?.vector_string ? cvss_v4 : cvss_v3;\n if (is.number(cvss?.score) && cvss?.vector_string) {\n content += `- CVSS Score: ${cvss.score.toFixed(1)} / 10 (${titleCase(advisory.severity)})\\n`;\n content += `- Vector String: \\`${cvss.vector_string}\\``;\n } else {\n content += titleCase(advisory.severity);\n }\n\n return content;\n }),\n );\n } catch (err) /* istanbul ignore next */ {\n logger.warn({ err }, 'Error generating vulnerability PR notes');\n }\n // TODO: types (#22198)\n const matchFileNames =\n datasource === GoDatasource.id\n ? [fileName.replace('go.sum', 'go.mod')]\n : [fileName];\n let matchRule: PackageRule = {\n matchDatasources: [datasource],\n matchPackageNames: [depName],\n matchFileNames,\n };\n\n let matchCurrentVersion = `< ${val.firstPatchedVersion}`;\n if (\n datasource === MavenDatasource.id ||\n datasource === NugetDatasource.id\n ) {\n matchCurrentVersion = `(,${val.firstPatchedVersion})`;\n } else if (datasource === GithubTagsDatasource.id) {\n matchCurrentVersion = `!/^${escapeRegExp(val.firstPatchedVersion)}$/`;\n }\n\n // Remediate only direct dependencies\n matchRule = {\n ...matchRule,\n matchCurrentVersion,\n vulnerabilityFixVersion: val.firstPatchedVersion,\n vulnerabilitySeverity: val.severity,\n prBodyNotes,\n isVulnerabilityAlert: true,\n force: {\n ...config.vulnerabilityAlerts,\n },\n };\n alertPackageRules.push(matchRule);\n }\n }\n }\n logger.debug({ alertPackageRules }, 'alert package rules');\n config.packageRules = (config.packageRules ?? []).concat(alertPackageRules);\n return config;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAsDA,eAAsB,0BACpB,OACyB;AACzB,KAAI,CAAC,OAAO,oBACV,QAAO;AAET,KAAI,MAAM,oBAAoB,YAAY,OAAO;AAC/C,SAAO,MAAM,oCAAoC;AACjD,SAAO;;CAET,MAAM,SAAS,MAAM,SAAS,0BAA0B;AACxD,KAAI,CAAC,QAAQ,QAAQ;AACnB,SAAO,MAAM,gCAAgC;AAC7C,MAAI,MAAM,wBACR,OAAM,IAAI,MAAM,wBAAwB;AAE1C,SAAO;;CAET,MAAM,SAAS,EAAE,GAAG,OAAO;CAC3B,MAAM,cAAsC;EAC1C,eAAeA;EACf,IAAIA;EACJ,WAAWC;EACX,OAAOC;EACP,KAAK;EACL,OAAOF;EACP,MAAMG;EACN,UAAUC;EACX;CACD,MAAM,iBAAgC,EAAE;AACxC,MAAK,MAAM,SAAS,OAClB,KAAI;AACF,MAAI,MAAM,iBACR;AAEF,MAAI,CAAC,MAAM,wBAAwB,uBAAuB;AACxD,UAAO,MACL,EAAE,OAAO,EACT,4DACD;AACD;;EAEF,MAAM,aACJ,4BACE,MAAM,uBAAuB,QAAQ;EAEzC,MAAM,UAAU,MAAM,uBAAuB,QAAQ;EACrD,MAAM,WAAW,MAAM,WAAW;EAClC,MAAM,WAAW,SAAS,MAAM,IAAI,CAAC,KAAK;EAC1C,MAAM,sBACJ,MAAM,uBAAuB,sBAAsB;EACrD,MAAM,WAAW,MAAM;AAEvB,iBAAe,cAAc,EAAE;AAC/B,iBAAe,UAAU,gBAAgB,EAAE;AAC3C,iBAAe,UAAU,YAAY,aAAa,EAChD,YAAY,EAAE,EACf;EACD,MAAM,eAAe,eAAe,UAAU,YAAY;AAC1D,eAAa,WAAW,KAAK,SAAS;AACtC,eAAa,WAAW,gCACtB,EAAE,uBAAuB,aAAa,UAAU,EAChD,EAAE,uBAAuB,MAAM,uBAAuB,UAAU,CACjE;EACD,MAAM,gBAAgBC,IAAkB,YAAY,YAAY;AAChE,MAAI,cAAc,UAAU,oBAAoB;OAE5C,CAAC,aAAa,uBACd,cAAc,cACZ,qBACA,aAAa,oBACd,CAED,cAAa,sBAAsB;QAGrC,QAAO,MAAM,kCAAkC,oBAAoB;AAErE,eAAa,WAAW;UACjB,KAAK;AACZ,SAAO,KAAK,EAAE,KAAK,EAAE,oCAAoC;;CAG7D,MAAM,oBAAmC,EAAE;AAC3C,QAAO,eAAe,EAAE;AACxB,MAAK,MAAM,CAAC,UAAU,UAAU,OAAO,QAAQ,eAAe,CAC5D,MAAK,MAAM,CAAC,YAAY,iBAAiB,OAAO,QAAQ,MAAM,CAC5D,MAAK,MAAM,CAAC,SAAS,QAAQ,OAAO,QAAQ,aAAa,EAAE;AACzD,MAAI,CAAC,IAAI,oBACP;EAGF,IAAI,cAAwB,EAAE;AAC9B,MAAI;AACF,iBAAc,CAAC,kCAAkC,CAAC,OAChD,IAAI,WAAW,KAAK,aAAa;IAC/B,MAAM,cAAc,SAAS;IAC7B,MAAM,cAAc,SAAS;IAC7B,IAAI,UAAU;IACd,IAAI;AACJ,QAAI,YAAY,MAAM,OAAO,GAAG,SAAS,MAAM,CAC7C,WAAU,YACP,QAAQ,OAAO,GAAG,SAAS,MAAM,CACjC,KAAK,OAAO,GAAG,MAAM,CACrB,KAAK,MAAM;QAEd,WAAU,YAAY,KAAK,OAAO,GAAG,MAAM,CAAC,KAAK,MAAM;AAEzD,QAAI,SAAS,YAAY,OACvB,WAAU,IAAI,QAAQ,IAAI,SAAS,WAAW,GAAG,IAAI;AAEvD,eAAW;AACX,eAAW;AAEX,eAAW,iBAAiB,YAAY;AAExC,eAAW;IACX,MAAM,EAAE,SAAS,YAAY,SAAS,mBAAmB,EAAE;IAC3D,MAAM,OAAO,SAAS,gBAAgB,UAAU;AAChD,QAAI,GAAG,OAAO,MAAM,MAAM,IAAI,MAAM,eAAe;AACjD,gBAAW,iBAAiB,KAAK,MAAM,QAAQ,EAAE,CAAC,SAAS,UAAU,SAAS,SAAS,CAAC;AACxF,gBAAW,sBAAsB,KAAK,cAAc;UAEpD,YAAW,UAAU,SAAS,SAAS;AAGzC,WAAO;KACP,CACH;WACM,kCAAgC;AACvC,UAAO,KAAK,EAAE,KAAK,EAAE,0CAA0C;;EAGjE,MAAM,iBACJ,eAAe,aAAa,KACxB,CAAC,SAAS,QAAQ,UAAU,SAAS,CAAC,GACtC,CAAC,SAAS;EAChB,IAAI,YAAyB;GAC3B,kBAAkB,CAAC,WAAW;GAC9B,mBAAmB,CAAC,QAAQ;GAC5B;GACD;EAED,IAAI,sBAAsB,KAAK,IAAI;AACnC,MACE,eAAe,gBAAgB,MAC/B,eAAe,gBAAgB,GAE/B,uBAAsB,KAAK,IAAI,oBAAoB;WAC1C,eAAe,qBAAqB,GAC7C,uBAAsB,MAAM,aAAa,IAAI,oBAAoB,CAAC;AAIpE,cAAY;GACV,GAAG;GACH;GACA,yBAAyB,IAAI;GAC7B,uBAAuB,IAAI;GAC3B;GACA,sBAAsB;GACtB,OAAO,EACL,GAAG,OAAO,qBACX;GACF;AACD,oBAAkB,KAAK,UAAU;;AAIvC,QAAO,MAAM,EAAE,mBAAmB,EAAE,sBAAsB;AAC1D,QAAO,gBAAgB,OAAO,gBAAgB,EAAE,EAAE,OAAO,kBAAkB;AAC3E,QAAO"}
1
+ {"version":3,"file":"vulnerability.js","names":["semverVersioning.id","composerVersioning.id","mavenVersioning.id","pep440Versioning.id","rubyVersioning.id","allVersioning.get"],"sources":["../../../../lib/workers/repository/init/vulnerability.ts"],"sourcesContent":["import is from '@sindresorhus/is';\nimport type { PackageRule, RenovateConfig } from '../../../config/types.ts';\nimport { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages.ts';\nimport { logger } from '../../../logger/index.ts';\nimport { GithubTagsDatasource } from '../../../modules/datasource/github-tags/index.ts';\nimport { MavenDatasource } from '../../../modules/datasource/maven/index.ts';\nimport { NugetDatasource } from '../../../modules/datasource/nuget/index.ts';\nimport type { SecurityAdvisory } from '../../../modules/platform/github/schema.ts';\nimport { platform } from '../../../modules/platform/index.ts';\nimport * as composerVersioning from '../../../modules/versioning/composer/index.ts';\nimport * as allVersioning from '../../../modules/versioning/index.ts';\nimport * as mavenVersioning from '../../../modules/versioning/maven/index.ts';\nimport * as npmVersioning from '../../../modules/versioning/npm/index.ts';\nimport * as pep440Versioning from '../../../modules/versioning/pep440/index.ts';\nimport * as rubyVersioning from '../../../modules/versioning/ruby/index.ts';\nimport * as semverVersioning from '../../../modules/versioning/semver/index.ts';\nimport { sanitizeMarkdown } from '../../../util/markdown.ts';\nimport { escapeRegExp } from '../../../util/regex.ts';\nimport { titleCase } from '../../../util/string.ts';\nimport { githubEcosystemToDatasource } from '../../../util/vulnerability/ecosystem.ts';\nimport {\n getFixedVersionConstraint,\n getHighestVulnerabilitySeverity,\n} from '../../../util/vulnerability/utils.ts';\n\ntype Datasource = string;\ntype DependencyName = string;\n\ntype CombinedAlert = Record<\n Datasource,\n Record<\n DependencyName,\n {\n advisories: SecurityAdvisory[];\n firstPatchedVersion?: string;\n severity?: string;\n }\n >\n>;\n\nexport function getFixedVersionByDatasource(\n fixedVersion: string,\n datasource: string,\n): string {\n return getFixedVersionConstraint(fixedVersion, datasource);\n}\n\n// TODO can return `null` and `undefined` (#22198)\nexport async function detectVulnerabilityAlerts(\n input: RenovateConfig,\n): Promise<RenovateConfig> {\n if (!input?.vulnerabilityAlerts) {\n return input;\n }\n if (input.vulnerabilityAlerts.enabled === false) {\n logger.debug('Vulnerability alerts are disabled');\n return input;\n }\n const alerts = await platform.getVulnerabilityAlerts?.();\n if (!alerts?.length) {\n logger.debug('No vulnerability alerts found');\n if (input.vulnerabilityAlertsOnly) {\n throw new Error(NO_VULNERABILITY_ALERTS);\n }\n return input;\n }\n const config = { ...input };\n const versionings: Record<string, string> = {\n 'github-tags': semverVersioning.id,\n go: semverVersioning.id,\n packagist: composerVersioning.id,\n maven: mavenVersioning.id,\n npm: npmVersioning.id,\n nuget: semverVersioning.id,\n pypi: pep440Versioning.id,\n rubygems: rubyVersioning.id,\n };\n const combinedAlerts: CombinedAlert = {};\n for (const alert of alerts) {\n try {\n if (alert.dismissed_reason) {\n continue;\n }\n if (!alert.security_vulnerability?.first_patched_version) {\n logger.debug(\n { alert },\n 'Vulnerability alert has no firstPatchedVersion - skipping',\n );\n continue;\n }\n const datasource =\n githubEcosystemToDatasource[\n alert.security_vulnerability.package.ecosystem\n ];\n const depName = alert.security_vulnerability.package.name;\n const firstPatchedVersion =\n alert.security_vulnerability.first_patched_version.identifier;\n const advisory = alert.security_advisory;\n\n combinedAlerts[datasource] ??= {};\n combinedAlerts[datasource][depName] ??= {\n advisories: [],\n };\n const alertDetails = combinedAlerts[datasource][depName];\n alertDetails.advisories.push(advisory);\n alertDetails.severity = getHighestVulnerabilitySeverity(\n { vulnerabilitySeverity: alertDetails.severity },\n { vulnerabilitySeverity: alert.security_vulnerability.severity },\n );\n const versioningApi = allVersioning.get(versionings[datasource]);\n if (versioningApi.isVersion(firstPatchedVersion)) {\n if (\n !alertDetails.firstPatchedVersion ||\n versioningApi.isGreaterThan(\n firstPatchedVersion,\n alertDetails.firstPatchedVersion,\n )\n ) {\n alertDetails.firstPatchedVersion = firstPatchedVersion;\n }\n } else {\n logger.debug('Invalid firstPatchedVersion: ' + firstPatchedVersion);\n }\n } catch (err) {\n logger.warn({ err }, 'Error parsing vulnerability alert');\n }\n }\n const alertPackageRules: PackageRule[] = [];\n config.remediations = {} as never;\n for (const [datasource, dependencies] of Object.entries(combinedAlerts)) {\n for (const [depName, val] of Object.entries(dependencies)) {\n if (!val.firstPatchedVersion) {\n continue;\n }\n\n let prBodyNotes: string[] = [];\n try {\n prBodyNotes = ['### GitHub Vulnerability Alerts'].concat(\n val.advisories.map((advisory) => {\n const identifiers = advisory.identifiers;\n const description = advisory.description;\n let content = '#### ';\n let heading: string;\n if (identifiers.some((id) => id.type === 'CVE')) {\n heading = identifiers\n .filter((id) => id.type === 'CVE')\n .map((id) => id.value)\n .join(' / ');\n } else {\n heading = identifiers.map((id) => id.value).join(' / ');\n }\n if (advisory.references?.length) {\n heading = `[${heading}](${advisory.references[0].url})`;\n }\n content += heading;\n content += '\\n\\n';\n\n content += sanitizeMarkdown(description);\n\n content += '\\n\\n##### Severity\\n';\n const { cvss_v4, cvss_v3 } = advisory.cvss_severities ?? {};\n const cvss = cvss_v4?.vector_string ? cvss_v4 : cvss_v3;\n if (is.number(cvss?.score) && cvss?.vector_string) {\n content += `- CVSS Score: ${cvss.score.toFixed(1)} / 10 (${titleCase(advisory.severity)})\\n`;\n content += `- Vector String: \\`${cvss.vector_string}\\``;\n } else {\n content += titleCase(advisory.severity);\n }\n\n return content;\n }),\n );\n } catch (err) /* istanbul ignore next */ {\n logger.warn({ err }, 'Error generating vulnerability PR notes');\n }\n let matchRule: PackageRule = {\n matchDatasources: [datasource],\n matchPackageNames: [depName],\n };\n\n let matchCurrentVersion = `< ${val.firstPatchedVersion}`;\n if (\n datasource === MavenDatasource.id ||\n datasource === NugetDatasource.id\n ) {\n matchCurrentVersion = `(,${val.firstPatchedVersion})`;\n } else if (datasource === GithubTagsDatasource.id) {\n matchCurrentVersion = `!/^${escapeRegExp(val.firstPatchedVersion)}$/`;\n }\n\n matchRule = {\n ...matchRule,\n matchCurrentVersion,\n vulnerabilityFixVersion: val.firstPatchedVersion,\n vulnerabilitySeverity: val.severity,\n prBodyNotes,\n isVulnerabilityAlert: true,\n force: {\n ...config.vulnerabilityAlerts,\n },\n };\n alertPackageRules.push(matchRule);\n }\n }\n logger.debug({ alertPackageRules }, 'alert package rules');\n config.packageRules = (config.packageRules ?? []).concat(alertPackageRules);\n return config;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAgDA,eAAsB,0BACpB,OACyB;AACzB,KAAI,CAAC,OAAO,oBACV,QAAO;AAET,KAAI,MAAM,oBAAoB,YAAY,OAAO;AAC/C,SAAO,MAAM,oCAAoC;AACjD,SAAO;;CAET,MAAM,SAAS,MAAM,SAAS,0BAA0B;AACxD,KAAI,CAAC,QAAQ,QAAQ;AACnB,SAAO,MAAM,gCAAgC;AAC7C,MAAI,MAAM,wBACR,OAAM,IAAI,MAAM,wBAAwB;AAE1C,SAAO;;CAET,MAAM,SAAS,EAAE,GAAG,OAAO;CAC3B,MAAM,cAAsC;EAC1C,eAAeA;EACf,IAAIA;EACJ,WAAWC;EACX,OAAOC;EACP,KAAK;EACL,OAAOF;EACP,MAAMG;EACN,UAAUC;EACX;CACD,MAAM,iBAAgC,EAAE;AACxC,MAAK,MAAM,SAAS,OAClB,KAAI;AACF,MAAI,MAAM,iBACR;AAEF,MAAI,CAAC,MAAM,wBAAwB,uBAAuB;AACxD,UAAO,MACL,EAAE,OAAO,EACT,4DACD;AACD;;EAEF,MAAM,aACJ,4BACE,MAAM,uBAAuB,QAAQ;EAEzC,MAAM,UAAU,MAAM,uBAAuB,QAAQ;EACrD,MAAM,sBACJ,MAAM,uBAAuB,sBAAsB;EACrD,MAAM,WAAW,MAAM;AAEvB,iBAAe,gBAAgB,EAAE;AACjC,iBAAe,YAAY,aAAa,EACtC,YAAY,EAAE,EACf;EACD,MAAM,eAAe,eAAe,YAAY;AAChD,eAAa,WAAW,KAAK,SAAS;AACtC,eAAa,WAAW,gCACtB,EAAE,uBAAuB,aAAa,UAAU,EAChD,EAAE,uBAAuB,MAAM,uBAAuB,UAAU,CACjE;EACD,MAAM,gBAAgBC,IAAkB,YAAY,YAAY;AAChE,MAAI,cAAc,UAAU,oBAAoB;OAE5C,CAAC,aAAa,uBACd,cAAc,cACZ,qBACA,aAAa,oBACd,CAED,cAAa,sBAAsB;QAGrC,QAAO,MAAM,kCAAkC,oBAAoB;UAE9D,KAAK;AACZ,SAAO,KAAK,EAAE,KAAK,EAAE,oCAAoC;;CAG7D,MAAM,oBAAmC,EAAE;AAC3C,QAAO,eAAe,EAAE;AACxB,MAAK,MAAM,CAAC,YAAY,iBAAiB,OAAO,QAAQ,eAAe,CACrE,MAAK,MAAM,CAAC,SAAS,QAAQ,OAAO,QAAQ,aAAa,EAAE;AACzD,MAAI,CAAC,IAAI,oBACP;EAGF,IAAI,cAAwB,EAAE;AAC9B,MAAI;AACF,iBAAc,CAAC,kCAAkC,CAAC,OAChD,IAAI,WAAW,KAAK,aAAa;IAC/B,MAAM,cAAc,SAAS;IAC7B,MAAM,cAAc,SAAS;IAC7B,IAAI,UAAU;IACd,IAAI;AACJ,QAAI,YAAY,MAAM,OAAO,GAAG,SAAS,MAAM,CAC7C,WAAU,YACP,QAAQ,OAAO,GAAG,SAAS,MAAM,CACjC,KAAK,OAAO,GAAG,MAAM,CACrB,KAAK,MAAM;QAEd,WAAU,YAAY,KAAK,OAAO,GAAG,MAAM,CAAC,KAAK,MAAM;AAEzD,QAAI,SAAS,YAAY,OACvB,WAAU,IAAI,QAAQ,IAAI,SAAS,WAAW,GAAG,IAAI;AAEvD,eAAW;AACX,eAAW;AAEX,eAAW,iBAAiB,YAAY;AAExC,eAAW;IACX,MAAM,EAAE,SAAS,YAAY,SAAS,mBAAmB,EAAE;IAC3D,MAAM,OAAO,SAAS,gBAAgB,UAAU;AAChD,QAAI,GAAG,OAAO,MAAM,MAAM,IAAI,MAAM,eAAe;AACjD,gBAAW,iBAAiB,KAAK,MAAM,QAAQ,EAAE,CAAC,SAAS,UAAU,SAAS,SAAS,CAAC;AACxF,gBAAW,sBAAsB,KAAK,cAAc;UAEpD,YAAW,UAAU,SAAS,SAAS;AAGzC,WAAO;KACP,CACH;WACM,kCAAgC;AACvC,UAAO,KAAK,EAAE,KAAK,EAAE,0CAA0C;;EAEjE,IAAI,YAAyB;GAC3B,kBAAkB,CAAC,WAAW;GAC9B,mBAAmB,CAAC,QAAQ;GAC7B;EAED,IAAI,sBAAsB,KAAK,IAAI;AACnC,MACE,eAAe,gBAAgB,MAC/B,eAAe,gBAAgB,GAE/B,uBAAsB,KAAK,IAAI,oBAAoB;WAC1C,eAAe,qBAAqB,GAC7C,uBAAsB,MAAM,aAAa,IAAI,oBAAoB,CAAC;AAGpE,cAAY;GACV,GAAG;GACH;GACA,yBAAyB,IAAI;GAC7B,uBAAuB,IAAI;GAC3B;GACA,sBAAsB;GACtB,OAAO,EACL,GAAG,OAAO,qBACX;GACF;AACD,oBAAkB,KAAK,UAAU;;AAGrC,QAAO,MAAM,EAAE,mBAAmB,EAAE,sBAAsB;AAC1D,QAAO,gBAAgB,OAAO,gBAAgB,EAAE,EAAE,OAAO,kBAAkB;AAC3E,QAAO"}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "renovate",
3
3
  "description": "Automated dependency updates. Flexible so you don't need to be.",
4
- "version": "43.120.1",
4
+ "version": "43.120.2",
5
5
  "type": "module",
6
6
  "bin": {
7
7
  "renovate": "dist/renovate.js",
package/renovate-schema.json CHANGED
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "$id": "https://docs.renovatebot.com/renovate-schema.json",
3
- "title": "JSON schema for Renovate 43.120.1 config files (https://renovatebot.com/)",
3
+ "title": "JSON schema for Renovate 43.120.2 config files (https://renovatebot.com/)",
4
4
  "$schema": "http://json-schema.org/draft-07/schema#",
5
- "x-renovate-version": "43.120.1",
5
+ "x-renovate-version": "43.120.2",
6
6
  "allowComments": true,
7
7
  "type": "object",
8
8
  "properties": {