Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bumps simple-git from 1.116.0 to 3.4.0 #1359

Merged
merged 1 commit into from
Mar 24, 2022
Merged

Bumps simple-git from 1.116.0 to 3.4.0 #1359

merged 1 commit into from
Mar 24, 2022

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 17, 2022
edited by tmarkley
Loading

Bumps simple-git from 1.116.0 to 3.4.0.

Release notes

Sourced from simple-git's releases.

simple-git@3.3.0

Minor Changes

  • d119ec4: Resolves potential command injection vulnerability by preventing use of --upload-pack in git.fetch

simple-git@3.2.6

Patch Changes

  • 80651d5: Resolve issue in prePublish script

simple-git@3.2.4

Patch Changes

  • d35987b: Release with changesets

simple-git simple-git-v3.1.1

Bug Fixes

  • specify repository with directory identifier to be discoverable within monorepo (655e23c)

simple-git simple-git-v3.1.0

Features

  • optionally include ignored files in StatusResult (70e6767), closes #718

simple-git simple-git-v3.0.4

Bug Fixes

  • support parsing empty responses (91eb7fb), closes #713

simple-git simple-git-v3.0.3

Bug Fixes

  • allow branches without labels (07a1388)
  • implement v3 deprecations (ed6d18e)
  • publish v3 as latest (5db4434)

simple-git simple-git-v3.0.2

Bug Fixes

... (truncated)

Changelog

Sourced from simple-git's changelog.

3.3.0

Minor Changes

  • d119ec4: Resolves potential command injection vulnerability by preventing use of --upload-pack in git.fetch

3.2.6

Patch Changes

  • 80651d5: Resolve issue in prePublish script

3.2.5

Patch Changes

  • ac4f38f: Show readme in published package.

3.2.4

Patch Changes

  • d35987b: Release with changesets

3.2.3

Patch Changes

  • 1e4c591: Release with changesets

3.2.2

Patch Changes

  • 497d416: Releasing with changeset

3.2.1

Patch Changes

  • 0c3085d: Releasing library through changesets

3.2.0

Minor Changes

  • b47aa19: Switch to changesets as version and changelog manager

3.1.1 (2022-01-26)

... (truncated)

Commits
  • 9113366 Version Packages
  • d119ec4 Prevent use of --upload-pack as a command in git.fetch to avoid potential...
  • fcc7618 Version Packages
  • 80651d5 Remove pre-publish step of copying readme.md, no longer required
  • 6838e24 Version Packages
  • e9f0461 Move workspace readme into the simple-git package, symlink to it from the w...
  • 7a29566 Version Packages
  • c4f937d Version Packages
  • c486165 Version Packages
  • 497d416 Running the changesets release
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot requested a review from a team as a code owner March 17, 2022 22:09
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Mar 17, 2022
@tmarkley
Copy link
Contributor

Resolves #1344

@tmarkley tmarkley added v2.0.0 cve Security vulnerabilities detected by Dependabot or Mend labels Mar 23, 2022
Bumps simple-git from 1.116.0 to 3.4.0
4189e5f 
Bumps [simple-git](https://github.com/steveukx/git-js/tree/HEAD/simple-git) from 1.116.0 to 3.4.0.
- [Release notes](https://github.com/steveukx/git-js/releases)
- [Changelog](https://github.com/steveukx/git-js/blob/main/simple-git/CHANGELOG.md)
- [Commits](https://github.com/steveukx/git-js/commits/simple-git@3.4.0/simple-git)

---
updated-dependencies:
- dependency-name: simple-git
  dependency-type: direct:production
...

Resolves #1344

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Tommy Markley <markleyt@amazon.com>
@tmarkley tmarkley force-pushed the dependabot/npm_and_yarn/simple-git-3.3.0 branch from 32e4a33 to 4189e5f Compare March 23, 2022 17:14
tmarkley
tmarkley reviewed Mar 23, 2022
View reviewed changes
packages/osd-opensearch/src/install/source.js
const simpleGit = require('simple-git/promise');
const simpleGit = require('simple-git');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Received this message when running yarn opensearch source:

=============================================
simple-git has supported promises / async await since version 2.6.0.
 Importing from 'simple-git/promise' has been deprecated and will be
 removed by July 2022.

To upgrade, change all 'simple-git/promise' imports to just 'simple-git'
=============================================

@tmarkley
Copy link
Contributor

I confirmed that the following scripts operate as expected:

yarn opensearch snapshot
yarn opensearch source
node scripts/precommit_hook.js

@tmarkley tmarkley linked an issue Mar 23, 2022 that may be closed by this pull request
CVE-2022-24433 (High) detected in simple-git-1.116.0.tgz #1344
Closed
@tmarkley tmarkley changed the title Bump simple-git from 1.116.0 to 3.3.0 Bumps simple-git from 1.116.0 to 3.4.0 Mar 23, 2022
@tmarkley tmarkley merged commit 859e21f into main Mar 24, 2022
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/simple-git-3.3.0 branch March 24, 2022 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmarkley tmarkley tmarkley approved these changes

@ashwin-pc ashwin-pc ashwin-pc approved these changes

@ananzh ananzh Awaiting requested review from ananzh ananzh is a code owner

@AMoo-Miki AMoo-Miki Awaiting requested review from AMoo-Miki AMoo-Miki is a code owner

@boktorbb boktorbb Awaiting requested review from boktorbb

@kavilla kavilla Awaiting requested review from kavilla kavilla is a code owner

Assignees
No one assigned
Labels
cve Security vulnerabilities detected by Dependabot or Mend dependencies Pull requests that update a dependency file v2.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2022-24433 (High) detected in simple-git-1.116.0.tgz
2 participants
@tmarkley @ashwin-pc