From 589572b7394c35d11bb40358e6f118b85a0f0f1d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 8 Jul 2022 10:49:03 -0700 Subject: [PATCH 1/5] build(deps): update dependency node-fetch to 2.6.7 [security] (#146) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 9ca72b5..a5c1e29 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2031,9 +2031,9 @@ } }, "node-fetch": { - "version": "2.6.5", - "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.5.tgz", - "integrity": "sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==", + "version": "2.6.7", + "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz", + "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==", "requires": { "whatwg-url": "^5.0.0" } From 92d8e64c19c751a86865c2870091fcd523743d5f Mon Sep 17 00:00:00 2001 From: Oscar Dominguez Date: Sat, 9 Jul 2022 23:16:00 +0200 Subject: [PATCH 2/5] fix(release): use OCTOKITBOT_PAT as GITHUB_TOKEN (#159) --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9cf4c5f..21873d8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ jobs: - run: rm .gitignore - run: npx semantic-release env: - GITHUB_TOKEN: ${{ secrets.GR2M_PAT_FOR_SEMANTIC_RELEASE }} + GITHUB_TOKEN: ${{ secrets.OCTOKITBOT_PAT }} - run: >- git push https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git From 0d89977c89338eee0481632d46cf9746319ebfdb Mon Sep 17 00:00:00 2001 From: Gregor Martynus <39992+gr2m@users.noreply.github.com> Date: Sat, 9 Jul 2022 14:21:22 -0700 Subject: [PATCH 3/5] ci(release): run with `--debug` --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 21873d8..599e48e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: - run: npm ci - run: npm run build - run: rm .gitignore - - run: npx semantic-release + - run: npx semantic-release --debug env: GITHUB_TOKEN: ${{ secrets.OCTOKITBOT_PAT }} - run: >- From 1fa9dddd13aa58408d68341fb9dc10410c7112e8 Mon Sep 17 00:00:00 2001 From: Gregor Martynus <39992+gr2m@users.noreply.github.com> Date: Sat, 9 Jul 2022 14:26:21 -0700 Subject: [PATCH 4/5] ci(release): checkout using `secrets.OCTOKITBOT_PAT` --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 599e48e..bc2178f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,6 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 + with: + token: ${{ secrets.OCTOKITBOT_PAT }} - uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3 with: cache: npm From 8509fdb30e17659bffb27878bb307fceb3ee2a64 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Sat, 9 Jul 2022 21:27:11 +0000 Subject: [PATCH 5/5] build(release): compiled action for 2.1.6 [skip ci] --- dist/index.js | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/dist/index.js b/dist/index.js index 4a37c9f..aab0a73 100644 --- a/dist/index.js +++ b/dist/index.js @@ -32647,7 +32647,7 @@ Object.defineProperty(Response.prototype, Symbol.toStringTag, { }); const INTERNALS$2 = Symbol('Request internals'); -const URL = whatwgUrl.URL; +const URL = Url.URL || whatwgUrl.URL; // fix an issue where "format", "parse" aren't a named export for node <10 const parse_url = Url.parse; @@ -32910,9 +32910,17 @@ AbortError.prototype = Object.create(Error.prototype); AbortError.prototype.constructor = AbortError; AbortError.prototype.name = 'AbortError'; +const URL$1 = Url.URL || whatwgUrl.URL; + // fix an issue where "PassThrough", "resolve" aren't a named export for node <10 const PassThrough$1 = Stream.PassThrough; -const resolve_url = Url.resolve; + +const isDomainOrSubdomain = function isDomainOrSubdomain(destination, original) { + const orig = new URL$1(original).hostname; + const dest = new URL$1(destination).hostname; + + return orig === dest || orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest); +}; /** * Fetch function @@ -33000,7 +33008,19 @@ function fetch(url, opts) { const location = headers.get('Location'); // HTTP fetch step 5.3 - const locationURL = location === null ? null : resolve_url(request.url, location); + let locationURL = null; + try { + locationURL = location === null ? null : new URL$1(location, request.url).toString(); + } catch (err) { + // error here can only be invalid URL in Location: header + // do not throw when options.redirect == manual + // let the user extract the errorneous redirect URL + if (request.redirect !== 'manual') { + reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect')); + finalize(); + return; + } + } // HTTP fetch step 5.5 switch (request.redirect) { @@ -33048,6 +33068,12 @@ function fetch(url, opts) { size: request.size }; + if (!isDomainOrSubdomain(request.url, locationURL)) { + for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) { + requestOpts.headers.delete(name); + } + } + // HTTP-redirect fetch step 9 if (res.statusCode !== 303 && request.body && getTotalBytes(request) === null) { reject(new FetchError('Cannot follow redirect with body being a readable stream', 'unsupported-redirect'));