renovate 43.134.0 → 43.134.1

package/dist/workers/repository/init/vulnerability.js

@@ -2,16 +2,11 @@ import { NO_VULNERABILITY_ALERTS } from "../../../constants/error-messages.js";
 import { escapeRegExp, regEx } from "../../../util/regex.js";
 import { titleCase } from "../../../util/string.js";
 import { logger } from "../../../logger/index.js";
-import { id } from "../../../modules/versioning/pep440/index.js";
 import { GithubTagsDatasource } from "../../../modules/datasource/github-tags/index.js";
-import { id as id$1 } from "../../../modules/versioning/maven/index.js";
 import { MavenDatasource } from "../../../modules/datasource/maven/index.js";
-import { id as id$2 } from "../../../modules/versioning/semver/index.js";
 import { NugetDatasource } from "../../../modules/datasource/nuget/index.js";
-import "../../../modules/versioning/npm/index.js";
-import { id as id$3 } from "../../../modules/versioning/ruby/index.js";
-import { id as id$4 } from "../../../modules/versioning/composer/index.js";
 import { get } from "../../../modules/versioning/index.js";
+import { getDefaultVersioning } from "../../../modules/datasource/common.js";
 import { getHighestVulnerabilitySeverity } from "../../../util/vulnerability/utils.js";
 import { platform } from "../../../modules/platform/index.js";
 import { sanitizeMarkdown } from "../../../util/markdown.js";
@@ -31,16 +26,6 @@ async function detectVulnerabilityAlerts(input) {
 		return input;
 	}
 	const config = { ...input };
-	const versionings = {
-		"github-tags": id$2,
-		go: id$2,
-		packagist: id$4,
-		maven: id$1,
-		npm: "npm",
-		nuget: id$2,
-		pypi: id,
-		rubygems: id$3
-	};
 	const combinedAlerts = {};
 	for (const alert of alerts) try {
 		if (alert.dismissed_reason) continue;
@@ -57,7 +42,7 @@ async function detectVulnerabilityAlerts(input) {
 		const alertDetails = combinedAlerts[datasource][depName];
 		alertDetails.advisories.push(advisory);
 		alertDetails.severity = getHighestVulnerabilitySeverity({ vulnerabilitySeverity: alertDetails.severity }, { vulnerabilitySeverity: alert.security_vulnerability.severity });
-		const versioningApi = get(versionings[datasource]);
+		const versioningApi = get(getDefaultVersioning(datasource));
 		if (versioningApi.isVersion(firstPatchedVersion)) {
 			if (!alertDetails.firstPatchedVersion || versioningApi.isGreaterThan(firstPatchedVersion, alertDetails.firstPatchedVersion)) alertDetails.firstPatchedVersion = firstPatchedVersion;
 		} else logger.debug("Invalid firstPatchedVersion: " + firstPatchedVersion);
@@ -71,7 +56,7 @@ async function detectVulnerabilityAlerts(input) {
 		let prBodyNotes = [];
 		try {
 			prBodyNotes = val.advisories.flatMap((advisory) => generatePrBodyNotes(advisory));
-		} catch (err) 		/* istanbul ignore next */ {
+		} catch (err) 		/* v8 ignore next */ {
 			logger.warn({ err }, "Error generating vulnerability PR notes");
 		}
 		let matchRule = {

package/dist/workers/repository/init/vulnerability.js.map

@@ -1 +1 @@
-{"version":3,"file":"vulnerability.js","names":["semverVersioning.id","composerVersioning.id","mavenVersioning.id","pep440Versioning.id","rubyVersioning.id","allVersioning.get"],"sources":["../../../../lib/workers/repository/init/vulnerability.ts"],"sourcesContent":["import is from '@sindresorhus/is';\nimport type { PackageRule, RenovateConfig } from '../../../config/types.ts';\nimport { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages.ts';\nimport { logger } from '../../../logger/index.ts';\nimport { GithubTagsDatasource } from '../../../modules/datasource/github-tags/index.ts';\nimport { MavenDatasource } from '../../../modules/datasource/maven/index.ts';\nimport { NugetDatasource } from '../../../modules/datasource/nuget/index.ts';\nimport type { SecurityAdvisory } from '../../../modules/platform/github/schema.ts';\nimport { platform } from '../../../modules/platform/index.ts';\nimport * as composerVersioning from '../../../modules/versioning/composer/index.ts';\nimport * as allVersioning from '../../../modules/versioning/index.ts';\nimport * as mavenVersioning from '../../../modules/versioning/maven/index.ts';\nimport * as npmVersioning from '../../../modules/versioning/npm/index.ts';\nimport * as pep440Versioning from '../../../modules/versioning/pep440/index.ts';\nimport * as rubyVersioning from '../../../modules/versioning/ruby/index.ts';\nimport * as semverVersioning from '../../../modules/versioning/semver/index.ts';\nimport { sanitizeMarkdown } from '../../../util/markdown.ts';\nimport { escapeRegExp, regEx } from '../../../util/regex.ts';\nimport { titleCase } from '../../../util/string.ts';\nimport { githubEcosystemToDatasource } from '../../../util/vulnerability/ecosystem.ts';\nimport {\n  getFixedVersionConstraint,\n  getHighestVulnerabilitySeverity,\n} from '../../../util/vulnerability/utils.ts';\n\ntype Datasource = string;\ntype DependencyName = string;\n\ntype CombinedAlert = Record<\n  Datasource,\n  Record<\n    DependencyName,\n    {\n      advisories: SecurityAdvisory[];\n      firstPatchedVersion?: string;\n      severity?: string;\n    }\n  >\n>;\n\nexport function getFixedVersionByDatasource(\n  fixedVersion: string,\n  datasource: string,\n): string {\n  return getFixedVersionConstraint(fixedVersion, datasource);\n}\n\n// TODO can return `null` and `undefined` (#22198)\nexport async function detectVulnerabilityAlerts(\n  input: RenovateConfig,\n): Promise<RenovateConfig> {\n  if (!input?.vulnerabilityAlerts) {\n    return input;\n  }\n  if (input.vulnerabilityAlerts.enabled === false) {\n    logger.debug('Vulnerability alerts are disabled');\n    return input;\n  }\n  const alerts = await platform.getVulnerabilityAlerts?.();\n  if (!alerts?.length) {\n    logger.debug('No vulnerability alerts found');\n    if (input.vulnerabilityAlertsOnly) {\n      throw new Error(NO_VULNERABILITY_ALERTS);\n    }\n    return input;\n  }\n  const config = { ...input };\n  const versionings: Record<string, string> = {\n    'github-tags': semverVersioning.id,\n    go: semverVersioning.id,\n    packagist: composerVersioning.id,\n    maven: mavenVersioning.id,\n    npm: npmVersioning.id,\n    nuget: semverVersioning.id,\n    pypi: pep440Versioning.id,\n    rubygems: rubyVersioning.id,\n  };\n  const combinedAlerts: CombinedAlert = {};\n  for (const alert of alerts) {\n    try {\n      if (alert.dismissed_reason) {\n        continue;\n      }\n      if (!alert.security_vulnerability?.first_patched_version) {\n        logger.debug(\n          { alert },\n          'Vulnerability alert has no firstPatchedVersion - skipping',\n        );\n        continue;\n      }\n      const datasource =\n        githubEcosystemToDatasource[\n          alert.security_vulnerability.package.ecosystem\n        ];\n      const depName = alert.security_vulnerability.package.name;\n      const firstPatchedVersion =\n        alert.security_vulnerability.first_patched_version.identifier;\n      const advisory = alert.security_advisory;\n\n      combinedAlerts[datasource] ??= {};\n      combinedAlerts[datasource][depName] ??= {\n        advisories: [],\n      };\n      const alertDetails = combinedAlerts[datasource][depName];\n      alertDetails.advisories.push(advisory);\n      alertDetails.severity = getHighestVulnerabilitySeverity(\n        { vulnerabilitySeverity: alertDetails.severity },\n        { vulnerabilitySeverity: alert.security_vulnerability.severity },\n      );\n      const versioningApi = allVersioning.get(versionings[datasource]);\n      if (versioningApi.isVersion(firstPatchedVersion)) {\n        if (\n          !alertDetails.firstPatchedVersion ||\n          versioningApi.isGreaterThan(\n            firstPatchedVersion,\n            alertDetails.firstPatchedVersion,\n          )\n        ) {\n          alertDetails.firstPatchedVersion = firstPatchedVersion;\n        }\n      } else {\n        logger.debug('Invalid firstPatchedVersion: ' + firstPatchedVersion);\n      }\n    } catch (err) {\n      logger.warn({ err }, 'Error parsing vulnerability alert');\n    }\n  }\n  const alertPackageRules: PackageRule[] = [];\n  config.remediations = {} as never;\n  for (const [datasource, dependencies] of Object.entries(combinedAlerts)) {\n    for (const [depName, val] of Object.entries(dependencies)) {\n      if (!val.firstPatchedVersion) {\n        continue;\n      }\n\n      let prBodyNotes: string[] = [];\n      try {\n        prBodyNotes = val.advisories.flatMap((advisory) =>\n          generatePrBodyNotes(advisory),\n        );\n      } catch (err) /* istanbul ignore next */ {\n        logger.warn({ err }, 'Error generating vulnerability PR notes');\n      }\n      let matchRule: PackageRule = {\n        matchDatasources: [datasource],\n        matchPackageNames: [depName],\n      };\n\n      let matchCurrentVersion = `< ${val.firstPatchedVersion}`;\n      if (\n        datasource === MavenDatasource.id ||\n        datasource === NugetDatasource.id\n      ) {\n        matchCurrentVersion = `(,${val.firstPatchedVersion})`;\n      } else if (datasource === GithubTagsDatasource.id) {\n        matchCurrentVersion = `!/^${escapeRegExp(val.firstPatchedVersion)}$/`;\n      }\n\n      matchRule = {\n        ...matchRule,\n        matchCurrentVersion,\n        vulnerabilityFixVersion: val.firstPatchedVersion,\n        vulnerabilitySeverity: val.severity,\n        prBodyNotes,\n        isVulnerabilityAlert: true,\n        force: {\n          ...config.vulnerabilityAlerts,\n        },\n      };\n      alertPackageRules.push(matchRule);\n    }\n  }\n  logger.debug({ alertPackageRules }, 'alert package rules');\n  config.packageRules = (config.packageRules ?? []).concat(alertPackageRules);\n  return config;\n}\n\nfunction generatePrBodyNotes(advisory: SecurityAdvisory): string[] {\n  const aliases = advisory.identifiers\n    .map((id) => id.value)\n    .sort()\n    .map((id) => {\n      if (id.startsWith('CVE-')) {\n        return `[${id}](https://nvd.nist.gov/vuln/detail/${id})`;\n      }\n      if (id.startsWith('GHSA-')) {\n        return `[${id}](https://github.com/advisories/${id})`;\n      }\n      return id;\n    });\n\n  let content = '\\n\\n---\\n\\n### ';\n  content += `${advisory.summary}\\n`;\n  content += `${aliases.join(' / ')}\\n`;\n  content += `\\n<details>\\n<summary>More information</summary>\\n`;\n\n  const details = advisory.description.replace(regEx(/^#{1,4} /gm), '##### ');\n  content += `#### Details\\n${details}\\n`;\n\n  content += '#### Severity\\n';\n  const { cvss_v4, cvss_v3 } = advisory.cvss_severities ?? {};\n  const cvss = cvss_v4?.vector_string ? cvss_v4 : cvss_v3;\n  if (is.number(cvss?.score) && cvss?.vector_string) {\n    content += `- CVSS Score: ${cvss.score.toFixed(1)} / 10 (${titleCase(advisory.severity)})\\n`;\n    content += `- Vector String: \\`${cvss.vector_string}\\`\\n`;\n  } else {\n    content += `${titleCase(advisory.severity)}\\n`;\n  }\n\n  content += `\\n#### References\\n${\n    advisory.references\n      ?.map((ref) => `- [${ref.url}](${ref.url})`)\n      .join('\\n') ?? 'No references.'\n  }`;\n\n  content += `\\n\\nThis data is provided by the [GitHub Advisory Database](https://github.com/advisories/${advisory.ghsa_id}) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).\\n`;\n  content += `</details>`;\n\n  return [sanitizeMarkdown(content)];\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAgDA,eAAsB,0BACpB,OACyB;AACzB,KAAI,CAAC,OAAO,oBACV,QAAO;AAET,KAAI,MAAM,oBAAoB,YAAY,OAAO;AAC/C,SAAO,MAAM,oCAAoC;AACjD,SAAO;;CAET,MAAM,SAAS,MAAM,SAAS,0BAA0B;AACxD,KAAI,CAAC,QAAQ,QAAQ;AACnB,SAAO,MAAM,gCAAgC;AAC7C,MAAI,MAAM,wBACR,OAAM,IAAI,MAAM,wBAAwB;AAE1C,SAAO;;CAET,MAAM,SAAS,EAAE,GAAG,OAAO;CAC3B,MAAM,cAAsC;EAC1C,eAAeA;EACf,IAAIA;EACJ,WAAWC;EACX,OAAOC;EACP,KAAK;EACL,OAAOF;EACP,MAAMG;EACN,UAAUC;EACX;CACD,MAAM,iBAAgC,EAAE;AACxC,MAAK,MAAM,SAAS,OAClB,KAAI;AACF,MAAI,MAAM,iBACR;AAEF,MAAI,CAAC,MAAM,wBAAwB,uBAAuB;AACxD,UAAO,MACL,EAAE,OAAO,EACT,4DACD;AACD;;EAEF,MAAM,aACJ,4BACE,MAAM,uBAAuB,QAAQ;EAEzC,MAAM,UAAU,MAAM,uBAAuB,QAAQ;EACrD,MAAM,sBACJ,MAAM,uBAAuB,sBAAsB;EACrD,MAAM,WAAW,MAAM;AAEvB,iBAAe,gBAAgB,EAAE;AACjC,iBAAe,YAAY,aAAa,EACtC,YAAY,EAAE,EACf;EACD,MAAM,eAAe,eAAe,YAAY;AAChD,eAAa,WAAW,KAAK,SAAS;AACtC,eAAa,WAAW,gCACtB,EAAE,uBAAuB,aAAa,UAAU,EAChD,EAAE,uBAAuB,MAAM,uBAAuB,UAAU,CACjE;EACD,MAAM,gBAAgBC,IAAkB,YAAY,YAAY;AAChE,MAAI,cAAc,UAAU,oBAAoB;OAE5C,CAAC,aAAa,uBACd,cAAc,cACZ,qBACA,aAAa,oBACd,CAED,cAAa,sBAAsB;QAGrC,QAAO,MAAM,kCAAkC,oBAAoB;UAE9D,KAAK;AACZ,SAAO,KAAK,EAAE,KAAK,EAAE,oCAAoC;;CAG7D,MAAM,oBAAmC,EAAE;AAC3C,QAAO,eAAe,EAAE;AACxB,MAAK,MAAM,CAAC,YAAY,iBAAiB,OAAO,QAAQ,eAAe,CACrE,MAAK,MAAM,CAAC,SAAS,QAAQ,OAAO,QAAQ,aAAa,EAAE;AACzD,MAAI,CAAC,IAAI,oBACP;EAGF,IAAI,cAAwB,EAAE;AAC9B,MAAI;AACF,iBAAc,IAAI,WAAW,SAAS,aACpC,oBAAoB,SAAS,CAC9B;WACM,kCAAgC;AACvC,UAAO,KAAK,EAAE,KAAK,EAAE,0CAA0C;;EAEjE,IAAI,YAAyB;GAC3B,kBAAkB,CAAC,WAAW;GAC9B,mBAAmB,CAAC,QAAQ;GAC7B;EAED,IAAI,sBAAsB,KAAK,IAAI;AACnC,MACE,eAAe,gBAAgB,MAC/B,eAAe,gBAAgB,GAE/B,uBAAsB,KAAK,IAAI,oBAAoB;WAC1C,eAAe,qBAAqB,GAC7C,uBAAsB,MAAM,aAAa,IAAI,oBAAoB,CAAC;AAGpE,cAAY;GACV,GAAG;GACH;GACA,yBAAyB,IAAI;GAC7B,uBAAuB,IAAI;GAC3B;GACA,sBAAsB;GACtB,OAAO,EACL,GAAG,OAAO,qBACX;GACF;AACD,oBAAkB,KAAK,UAAU;;AAGrC,QAAO,MAAM,EAAE,mBAAmB,EAAE,sBAAsB;AAC1D,QAAO,gBAAgB,OAAO,gBAAgB,EAAE,EAAE,OAAO,kBAAkB;AAC3E,QAAO;;AAGT,SAAS,oBAAoB,UAAsC;CACjE,MAAM,UAAU,SAAS,YACtB,KAAK,OAAO,GAAG,MAAM,CACrB,MAAM,CACN,KAAK,OAAO;AACX,MAAI,GAAG,WAAW,OAAO,CACvB,QAAO,IAAI,GAAG,qCAAqC,GAAG;AAExD,MAAI,GAAG,WAAW,QAAQ,CACxB,QAAO,IAAI,GAAG,kCAAkC,GAAG;AAErD,SAAO;GACP;CAEJ,IAAI,UAAU;AACd,YAAW,GAAG,SAAS,QAAQ;AAC/B,YAAW,GAAG,QAAQ,KAAK,MAAM,CAAC;AAClC,YAAW;CAEX,MAAM,UAAU,SAAS,YAAY,QAAQ,MAAM,aAAa,EAAE,SAAS;AAC3E,YAAW,iBAAiB,QAAQ;AAEpC,YAAW;CACX,MAAM,EAAE,SAAS,YAAY,SAAS,mBAAmB,EAAE;CAC3D,MAAM,OAAO,SAAS,gBAAgB,UAAU;AAChD,KAAI,GAAG,OAAO,MAAM,MAAM,IAAI,MAAM,eAAe;AACjD,aAAW,iBAAiB,KAAK,MAAM,QAAQ,EAAE,CAAC,SAAS,UAAU,SAAS,SAAS,CAAC;AACxF,aAAW,sBAAsB,KAAK,cAAc;OAEpD,YAAW,GAAG,UAAU,SAAS,SAAS,CAAC;AAG7C,YAAW,sBACT,SAAS,YACL,KAAK,QAAQ,MAAM,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAC3C,KAAK,KAAK,IAAI;AAGnB,YAAW,6FAA6F,SAAS,QAAQ;AACzH,YAAW;AAEX,QAAO,CAAC,iBAAiB,QAAQ,CAAC"}
+{"version":3,"file":"vulnerability.js","names":["allVersioning.get"],"sources":["../../../../lib/workers/repository/init/vulnerability.ts"],"sourcesContent":["import is from '@sindresorhus/is';\nimport type { PackageRule, RenovateConfig } from '../../../config/types.ts';\nimport { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages.ts';\nimport { logger } from '../../../logger/index.ts';\nimport { getDefaultVersioning } from '../../../modules/datasource/common.ts';\nimport { GithubTagsDatasource } from '../../../modules/datasource/github-tags/index.ts';\nimport { MavenDatasource } from '../../../modules/datasource/maven/index.ts';\nimport { NugetDatasource } from '../../../modules/datasource/nuget/index.ts';\nimport type { SecurityAdvisory } from '../../../modules/platform/github/schema.ts';\nimport { platform } from '../../../modules/platform/index.ts';\nimport * as allVersioning from '../../../modules/versioning/index.ts';\nimport { sanitizeMarkdown } from '../../../util/markdown.ts';\nimport { escapeRegExp, regEx } from '../../../util/regex.ts';\nimport { titleCase } from '../../../util/string.ts';\nimport { githubEcosystemToDatasource } from '../../../util/vulnerability/ecosystem.ts';\nimport {\n  getFixedVersionConstraint,\n  getHighestVulnerabilitySeverity,\n} from '../../../util/vulnerability/utils.ts';\n\ntype Datasource = string;\ntype DependencyName = string;\n\ntype CombinedAlert = Record<\n  Datasource,\n  Record<\n    DependencyName,\n    {\n      advisories: SecurityAdvisory[];\n      firstPatchedVersion?: string;\n      severity?: string;\n    }\n  >\n>;\n\nexport function getFixedVersionByDatasource(\n  fixedVersion: string,\n  datasource: string,\n): string {\n  return getFixedVersionConstraint(fixedVersion, datasource);\n}\n\n// TODO can return `null` and `undefined` (#22198)\nexport async function detectVulnerabilityAlerts(\n  input: RenovateConfig,\n): Promise<RenovateConfig> {\n  if (!input?.vulnerabilityAlerts) {\n    return input;\n  }\n  if (input.vulnerabilityAlerts.enabled === false) {\n    logger.debug('Vulnerability alerts are disabled');\n    return input;\n  }\n  const alerts = await platform.getVulnerabilityAlerts?.();\n  if (!alerts?.length) {\n    logger.debug('No vulnerability alerts found');\n    if (input.vulnerabilityAlertsOnly) {\n      throw new Error(NO_VULNERABILITY_ALERTS);\n    }\n    return input;\n  }\n  const config = { ...input };\n  const combinedAlerts: CombinedAlert = {};\n  for (const alert of alerts) {\n    try {\n      if (alert.dismissed_reason) {\n        continue;\n      }\n      if (!alert.security_vulnerability?.first_patched_version) {\n        logger.debug(\n          { alert },\n          'Vulnerability alert has no firstPatchedVersion - skipping',\n        );\n        continue;\n      }\n      const datasource =\n        githubEcosystemToDatasource[\n          alert.security_vulnerability.package.ecosystem\n        ];\n      const depName = alert.security_vulnerability.package.name;\n      const firstPatchedVersion =\n        alert.security_vulnerability.first_patched_version.identifier;\n      const advisory = alert.security_advisory;\n\n      combinedAlerts[datasource] ??= {};\n      combinedAlerts[datasource][depName] ??= {\n        advisories: [],\n      };\n      const alertDetails = combinedAlerts[datasource][depName];\n      alertDetails.advisories.push(advisory);\n      alertDetails.severity = getHighestVulnerabilitySeverity(\n        { vulnerabilitySeverity: alertDetails.severity },\n        { vulnerabilitySeverity: alert.security_vulnerability.severity },\n      );\n      const versioningApi = allVersioning.get(getDefaultVersioning(datasource));\n      if (versioningApi.isVersion(firstPatchedVersion)) {\n        if (\n          !alertDetails.firstPatchedVersion ||\n          versioningApi.isGreaterThan(\n            firstPatchedVersion,\n            alertDetails.firstPatchedVersion,\n          )\n        ) {\n          alertDetails.firstPatchedVersion = firstPatchedVersion;\n        }\n      } else {\n        logger.debug('Invalid firstPatchedVersion: ' + firstPatchedVersion);\n      }\n    } catch (err) {\n      logger.warn({ err }, 'Error parsing vulnerability alert');\n    }\n  }\n  const alertPackageRules: PackageRule[] = [];\n  config.remediations = {} as never;\n  for (const [datasource, dependencies] of Object.entries(combinedAlerts)) {\n    for (const [depName, val] of Object.entries(dependencies)) {\n      if (!val.firstPatchedVersion) {\n        continue;\n      }\n\n      let prBodyNotes: string[] = [];\n      try {\n        prBodyNotes = val.advisories.flatMap((advisory) =>\n          generatePrBodyNotes(advisory),\n        );\n      } catch (err) /* v8 ignore next */ {\n        logger.warn({ err }, 'Error generating vulnerability PR notes');\n      }\n      let matchRule: PackageRule = {\n        matchDatasources: [datasource],\n        matchPackageNames: [depName],\n      };\n\n      let matchCurrentVersion = `< ${val.firstPatchedVersion}`;\n      if (\n        datasource === MavenDatasource.id ||\n        datasource === NugetDatasource.id\n      ) {\n        matchCurrentVersion = `(,${val.firstPatchedVersion})`;\n      } else if (datasource === GithubTagsDatasource.id) {\n        matchCurrentVersion = `!/^${escapeRegExp(val.firstPatchedVersion)}$/`;\n      }\n\n      matchRule = {\n        ...matchRule,\n        matchCurrentVersion,\n        vulnerabilityFixVersion: val.firstPatchedVersion,\n        vulnerabilitySeverity: val.severity,\n        prBodyNotes,\n        isVulnerabilityAlert: true,\n        force: {\n          ...config.vulnerabilityAlerts,\n        },\n      };\n      alertPackageRules.push(matchRule);\n    }\n  }\n  logger.debug({ alertPackageRules }, 'alert package rules');\n  config.packageRules = (config.packageRules ?? []).concat(alertPackageRules);\n  return config;\n}\n\nfunction generatePrBodyNotes(advisory: SecurityAdvisory): string[] {\n  const aliases = advisory.identifiers\n    .map((id) => id.value)\n    .sort()\n    .map((id) => {\n      if (id.startsWith('CVE-')) {\n        return `[${id}](https://nvd.nist.gov/vuln/detail/${id})`;\n      }\n      if (id.startsWith('GHSA-')) {\n        return `[${id}](https://github.com/advisories/${id})`;\n      }\n      return id;\n    });\n\n  let content = '\\n\\n---\\n\\n### ';\n  content += `${advisory.summary}\\n`;\n  content += `${aliases.join(' / ')}\\n`;\n  content += `\\n<details>\\n<summary>More information</summary>\\n`;\n\n  const details = advisory.description.replace(regEx(/^#{1,4} /gm), '##### ');\n  content += `#### Details\\n${details}\\n`;\n\n  content += '#### Severity\\n';\n  const { cvss_v4, cvss_v3 } = advisory.cvss_severities ?? {};\n  const cvss = cvss_v4?.vector_string ? cvss_v4 : cvss_v3;\n  if (is.number(cvss?.score) && cvss?.vector_string) {\n    content += `- CVSS Score: ${cvss.score.toFixed(1)} / 10 (${titleCase(advisory.severity)})\\n`;\n    content += `- Vector String: \\`${cvss.vector_string}\\`\\n`;\n  } else {\n    content += `${titleCase(advisory.severity)}\\n`;\n  }\n\n  content += `\\n#### References\\n${\n    advisory.references\n      ?.map((ref) => `- [${ref.url}](${ref.url})`)\n      .join('\\n') ?? 'No references.'\n  }`;\n\n  content += `\\n\\nThis data is provided by the [GitHub Advisory Database](https://github.com/advisories/${advisory.ghsa_id}) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).\\n`;\n  content += `</details>`;\n\n  return [sanitizeMarkdown(content)];\n}\n"],"mappings":";;;;;;;;;;;;;;;AA2CA,eAAsB,0BACpB,OACyB;AACzB,KAAI,CAAC,OAAO,oBACV,QAAO;AAET,KAAI,MAAM,oBAAoB,YAAY,OAAO;AAC/C,SAAO,MAAM,oCAAoC;AACjD,SAAO;;CAET,MAAM,SAAS,MAAM,SAAS,0BAA0B;AACxD,KAAI,CAAC,QAAQ,QAAQ;AACnB,SAAO,MAAM,gCAAgC;AAC7C,MAAI,MAAM,wBACR,OAAM,IAAI,MAAM,wBAAwB;AAE1C,SAAO;;CAET,MAAM,SAAS,EAAE,GAAG,OAAO;CAC3B,MAAM,iBAAgC,EAAE;AACxC,MAAK,MAAM,SAAS,OAClB,KAAI;AACF,MAAI,MAAM,iBACR;AAEF,MAAI,CAAC,MAAM,wBAAwB,uBAAuB;AACxD,UAAO,MACL,EAAE,OAAO,EACT,4DACD;AACD;;EAEF,MAAM,aACJ,4BACE,MAAM,uBAAuB,QAAQ;EAEzC,MAAM,UAAU,MAAM,uBAAuB,QAAQ;EACrD,MAAM,sBACJ,MAAM,uBAAuB,sBAAsB;EACrD,MAAM,WAAW,MAAM;AAEvB,iBAAe,gBAAgB,EAAE;AACjC,iBAAe,YAAY,aAAa,EACtC,YAAY,EAAE,EACf;EACD,MAAM,eAAe,eAAe,YAAY;AAChD,eAAa,WAAW,KAAK,SAAS;AACtC,eAAa,WAAW,gCACtB,EAAE,uBAAuB,aAAa,UAAU,EAChD,EAAE,uBAAuB,MAAM,uBAAuB,UAAU,CACjE;EACD,MAAM,gBAAgBA,IAAkB,qBAAqB,WAAW,CAAC;AACzE,MAAI,cAAc,UAAU,oBAAoB;OAE5C,CAAC,aAAa,uBACd,cAAc,cACZ,qBACA,aAAa,oBACd,CAED,cAAa,sBAAsB;QAGrC,QAAO,MAAM,kCAAkC,oBAAoB;UAE9D,KAAK;AACZ,SAAO,KAAK,EAAE,KAAK,EAAE,oCAAoC;;CAG7D,MAAM,oBAAmC,EAAE;AAC3C,QAAO,eAAe,EAAE;AACxB,MAAK,MAAM,CAAC,YAAY,iBAAiB,OAAO,QAAQ,eAAe,CACrE,MAAK,MAAM,CAAC,SAAS,QAAQ,OAAO,QAAQ,aAAa,EAAE;AACzD,MAAI,CAAC,IAAI,oBACP;EAGF,IAAI,cAAwB,EAAE;AAC9B,MAAI;AACF,iBAAc,IAAI,WAAW,SAAS,aACpC,oBAAoB,SAAS,CAC9B;WACM,4BAA0B;AACjC,UAAO,KAAK,EAAE,KAAK,EAAE,0CAA0C;;EAEjE,IAAI,YAAyB;GAC3B,kBAAkB,CAAC,WAAW;GAC9B,mBAAmB,CAAC,QAAQ;GAC7B;EAED,IAAI,sBAAsB,KAAK,IAAI;AACnC,MACE,eAAe,gBAAgB,MAC/B,eAAe,gBAAgB,GAE/B,uBAAsB,KAAK,IAAI,oBAAoB;WAC1C,eAAe,qBAAqB,GAC7C,uBAAsB,MAAM,aAAa,IAAI,oBAAoB,CAAC;AAGpE,cAAY;GACV,GAAG;GACH;GACA,yBAAyB,IAAI;GAC7B,uBAAuB,IAAI;GAC3B;GACA,sBAAsB;GACtB,OAAO,EACL,GAAG,OAAO,qBACX;GACF;AACD,oBAAkB,KAAK,UAAU;;AAGrC,QAAO,MAAM,EAAE,mBAAmB,EAAE,sBAAsB;AAC1D,QAAO,gBAAgB,OAAO,gBAAgB,EAAE,EAAE,OAAO,kBAAkB;AAC3E,QAAO;;AAGT,SAAS,oBAAoB,UAAsC;CACjE,MAAM,UAAU,SAAS,YACtB,KAAK,OAAO,GAAG,MAAM,CACrB,MAAM,CACN,KAAK,OAAO;AACX,MAAI,GAAG,WAAW,OAAO,CACvB,QAAO,IAAI,GAAG,qCAAqC,GAAG;AAExD,MAAI,GAAG,WAAW,QAAQ,CACxB,QAAO,IAAI,GAAG,kCAAkC,GAAG;AAErD,SAAO;GACP;CAEJ,IAAI,UAAU;AACd,YAAW,GAAG,SAAS,QAAQ;AAC/B,YAAW,GAAG,QAAQ,KAAK,MAAM,CAAC;AAClC,YAAW;CAEX,MAAM,UAAU,SAAS,YAAY,QAAQ,MAAM,aAAa,EAAE,SAAS;AAC3E,YAAW,iBAAiB,QAAQ;AAEpC,YAAW;CACX,MAAM,EAAE,SAAS,YAAY,SAAS,mBAAmB,EAAE;CAC3D,MAAM,OAAO,SAAS,gBAAgB,UAAU;AAChD,KAAI,GAAG,OAAO,MAAM,MAAM,IAAI,MAAM,eAAe;AACjD,aAAW,iBAAiB,KAAK,MAAM,QAAQ,EAAE,CAAC,SAAS,UAAU,SAAS,SAAS,CAAC;AACxF,aAAW,sBAAsB,KAAK,cAAc;OAEpD,YAAW,GAAG,UAAU,SAAS,SAAS,CAAC;AAG7C,YAAW,sBACT,SAAS,YACL,KAAK,QAAQ,MAAM,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,CAC3C,KAAK,KAAK,IAAI;AAGnB,YAAW,6FAA6F,SAAS,QAAQ;AACzH,YAAW;AAEX,QAAO,CAAC,iBAAiB,QAAQ,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "renovate",
   "description": "Automated dependency updates. Flexible so you don't need to be.",
-  "version": "43.134.0",
+  "version": "43.134.1",
   "type": "module",
   "bin": {
     "renovate": "dist/renovate.js",

package/renovate-schema.json

@@ -1,8 +1,8 @@
 {
   "$id": "https://docs.renovatebot.com/renovate-schema.json",
-  "title": "JSON schema for Renovate 43.134.0 config files (https://renovatebot.com/)",
+  "title": "JSON schema for Renovate 43.134.1 config files (https://renovatebot.com/)",
   "$schema": "http://json-schema.org/draft-07/schema#",
-  "x-renovate-version": "43.134.0",
+  "x-renovate-version": "43.134.1",
   "allowComments": true,
   "type": "object",
   "properties": {