Merge main branch into the docs branch #1167
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#989 For the purpose of overriding dependency requirements, we may need to add new dependencies or even dependency management section to pom.xml. This PR: - moves the patch generation from suggester to updater - before writing patches, prepare dependency and property patches - when updating dependencies, if a dependency is not from the base project, we should add a new section - when updating a project, if dependency management is not updated and there are patches from dependency management, add a new dependency management section - marks the parent dependency patch to have type "pom" TODOs: - need to find a way to differentiate patches for guided remediation or general updates, since we should not add new sections for general updates (using `OrigRequire` seems reasonable) - make the indentation for the new sections configuration, now defaults to a white space
There's nothing too major here though we do get to remove a bunch of config for deprecated linters that have finally been removed; the more exciting thing is when we move to Go v1.22 as there's a few linters that'll start running like for cleaning up our looping variables
Currently, the newly added dependency management is not written correctly - `dependency` tags are missing. This PR fixes this by specifying `dependency` in the struct.
We should merge active profiles before merging parent data. Currently, we only merge default profiles by passing empty JDK and OS information (this could be a TODO for the future). Some known issue or improvement: - Inactive profiles may not be interpolated but we probably want them to be updated as well - Now default profiles are merged but we may consider leveraging JDK and OS information to activate accurate profiles
Currently, the write test is a bit flaky because the dependencies to be added are not sorted and their order in pom.xml is not guaranteed. This PR adds sorting of dependencies before they are going to be written.
Start on a new 'override' remediation strategy for guided remediation for maven, intending to remediate by forcing the use of non-vulnerable versions by `dependencyManagement`. This is just the logic to identify possible override patches by searching for the first non-vulnerable version of an affected package.
- Improved the runtime of DiffVulnerabilityResults - Precomputed the existence of Sources, Packages, and Vulnerabilities, which brings the time complexity down from O(n^2) to O(n).
Update the documentation that the current Maven resolver does not handle test dependencies.
Previously, `origRequire` is not set in patches from suggest, however we plan to use this field to differentiate patches from override, this PR sets `origRequire` for patches from suggest so that `manifest.Write()` is able to only add dependencies from patches generated by override.
Remove the patch version as we always want the latest patch version. Fixes #1123 We just need to keep in mind that the library code should be compatible with the previous go release.
https://docs.github.com/en/actions/managing-issues-and-pull-requests/closing-inactive-issues Manage issues and PRs that are unassigned, and/or don't have the 'good-first-issue' label (for issues). 60 days for a warning, and closure two weeks later.
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-go](https://togithub.com/actions/setup-go) | action | patch | `v5.0.1` -> `v5.0.2` | | [actions/setup-python](https://togithub.com/actions/setup-python) | action | patch | `v5.1.0` -> `v5.1.1` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v3.25.11` -> `v3.25.13` | | [ruby/setup-ruby](https://togithub.com/ruby/setup-ruby) | action | minor | `v1.185.0` -> `v1.187.0` | | [shivammathur/setup-php](https://togithub.com/shivammathur/setup-php) | action | patch | `2.31.0` -> `2.31.1` | --- ### Release Notes <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v5.0.2`](https://togithub.com/actions/setup-go/compare/v5.0.1...v5.0.2) [Compare Source](https://togithub.com/actions/setup-go/compare/v5.0.1...v5.0.2) </details> <details> <summary>actions/setup-python (actions/setup-python)</summary> ### [`v5.1.1`](https://togithub.com/actions/setup-python/releases/tag/v5.1.1) [Compare Source](https://togithub.com/actions/setup-python/compare/v5.1.0...v5.1.1) ##### What's Changed ##### Bug fixes: - fix(ci): update all failing workflows by [@​mayeut](https://togithub.com/mayeut) in [https://github.com/actions/setup-python/pull/863](https://togithub.com/actions/setup-python/pull/863) This update ensures compatibility and optimal performance of workflows on the latest macOS version. ##### Documentation changes: - Documentation update for cache by [@​gowridurgad](https://togithub.com/gowridurgad) in [https://github.com/actions/setup-python/pull/873](https://togithub.com/actions/setup-python/pull/873) ##### Dependency updates: - Bump braces from 3.0.2 to 3.0.3 and undici from 5.28.3 to 5.28.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-python/pull/893](https://togithub.com/actions/setup-python/pull/893) ##### New Contributors - [@​gowridurgad](https://togithub.com/gowridurgad) made their first contribution in [https://github.com/actions/setup-python/pull/873](https://togithub.com/actions/setup-python/pull/873) **Full Changelog**: actions/setup-python@v5...v5.1.1 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.25.13`](https://togithub.com/github/codeql-action/compare/v3.25.12...v3.25.13) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.12...v3.25.13) ### [`v3.25.12`](https://togithub.com/github/codeql-action/compare/v3.25.11...v3.25.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.11...v3.25.12) </details> <details> <summary>ruby/setup-ruby (ruby/setup-ruby)</summary> ### [`v1.187.0`](https://togithub.com/ruby/setup-ruby/releases/tag/v1.187.0) [Compare Source](https://togithub.com/ruby/setup-ruby/compare/v1.186.0...v1.187.0) #### What's Changed - Update CRuby releases on Windows by [@​ruby-builder-bot](https://togithub.com/ruby-builder-bot) in [https://github.com/ruby/setup-ruby/pull/622](https://togithub.com/ruby/setup-ruby/pull/622) **Full Changelog**: ruby/setup-ruby@v1.186.0...v1.187.0 ### [`v1.186.0`](https://togithub.com/ruby/setup-ruby/releases/tag/v1.186.0) [Compare Source](https://togithub.com/ruby/setup-ruby/compare/v1.185.0...v1.186.0) #### What's Changed - Add ruby-3.3.4 by [@​ruby-builder-bot](https://togithub.com/ruby-builder-bot) in [https://github.com/ruby/setup-ruby/pull/620](https://togithub.com/ruby/setup-ruby/pull/620) **Full Changelog**: ruby/setup-ruby@v1.185.0...v1.186.0 </details> <details> <summary>shivammathur/setup-php (shivammathur/setup-php)</summary> ### [`v2.31.1`](https://togithub.com/shivammathur/setup-php/releases/tag/2.31.1) [Compare Source](https://togithub.com/shivammathur/setup-php/compare/2.31.0...2.31.1) ##### Changelog - Fix installing PECL extensions on Windows with a build version [#​855](https://togithub.com/shivammathur/setup-php/issues/855) - Fix cache support for ioncube extension [#​856](https://togithub.com/shivammathur/setup-php/issues/856) - Updated Node.js dependencies. For the complete list of changes, please refer to the [Full Changelog](https://togithub.com/shivammathur/setup-php/compare/2.31.0...2.31.1) <p> <h4>Follow for updates</h4> <a href="https://reddit.com/r/setup_php" title="setup-php reddit"><img alt="setup-php reddit" src="https://img.shields.io/badge/reddit-join-FF5700?logo=reddit&logoColor=FF5700&labelColor=555555"></a> <a href="https://twitter.com/setup_php" title="setup-php twitter"><img alt="setup-php twitter" src="https://img.shields.io/badge/twitter-follow-1DA1F2?logo=twitter&logoColor=1DA1F2&labelColor=555555"></a> <a href="https://status.setup-php.com" title="setup-php status"><img alt="setup-php status" src="https://img.shields.io/badge/status-subscribe-28A745?logo=statuspage&logoColor=28A745&labelColor=555555"></a> </p> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MzEuNCIsInVwZGF0ZWRJblZlciI6IjM3LjQzMS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Such issues will never not be stale right up until work on v2 starts (and even then they'll likely be stale on and off) (note I'm not entirely sure if this will work re the spaces - I've found some issues on the action repo that suggest it should, but no actual example docs; I think we just need to try it and see 🤷)
Replicate #1109 more like #1030 to avoid Renovate failures like #1120 (comment) The Docker files are already at 1.22.5, not sure if we want to update to this globally?
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [github.com/charmbracelet/lipgloss](https://togithub.com/charmbracelet/lipgloss) | `v0.11.0` -> `v0.12.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [github.com/gkampitakis/go-snaps](https://togithub.com/gkampitakis/go-snaps) | `v0.5.4` -> `v0.5.5` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [github.com/google/go-containerregistry](https://togithub.com/google/go-containerregistry) | `v0.19.2` -> `v0.20.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [github.com/owenrumney/go-sarif/v2](https://togithub.com/owenrumney/go-sarif) | `v2.3.2` -> `v2.3.3` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | patch | | golang.org/x/exp | `46b0784` -> `8a7402a` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | require | digest | --- ### Release Notes <details> <summary>charmbracelet/lipgloss (github.com/charmbracelet/lipgloss)</summary> ### [`v0.12.1`](https://togithub.com/charmbracelet/lipgloss/releases/tag/v0.12.1) [Compare Source](https://togithub.com/charmbracelet/lipgloss/compare/v0.12.0...v0.12.1) This release fixes a regression with regard to border calculations introduced in Lip Gloss v0.11.1. *** <a href="https://charm.sh/"><img alt="The Charm logo" src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a> Thoughts? Questions? We love hearing from you. Feel free to reach out on [Twitter](https://twitter.com/charmcli), [The Fediverse](https://mastodon.technology/@​charm), or on [Discord](https://charm.sh/chat). ### [`v0.12.0`](https://togithub.com/charmbracelet/lipgloss/releases/tag/v0.12.0) [Compare Source](https://togithub.com/charmbracelet/lipgloss/compare/v0.11.1...v0.12.0) ### Lists, Check ✓ This release adds a new sub-package for rendering trees and lists. ```go import "github.com/charmbracelet/lipgloss/list" ``` Define a new list. ```go l := list.New("A", "B", "C") ``` Print the list. ```go fmt.Println(l) // • A // • B // • C ``` Lists have the ability to nest. ```go l := list.New( "A", list.New("Artichoke"), "B", list.New("Baking Flour", "Bananas", "Barley", "Bean Sprouts"), "C", list.New("Cashew Apple", "Cashews", "Coconut Milk", "Curry Paste", "Currywurst"), "D", list.New("Dill", "Dragonfruit", "Dried Shrimp"), "E", list.New("Eggs"), "F", list.New("Fish Cake", "Furikake"), "J", list.New("Jicama"), "K", list.New("Kohlrabi"), "L", list.New("Leeks", "Lentils", "Licorice Root"), ) ``` Print the list. ```go fmt.Println(l) ``` <p align="center"> <img width="600" alt="image" src="https://github.com/charmbracelet/lipgloss/assets/42545625/0dc9f440-0748-4151-a3b0-7dcf29dfcdb0"> </p> Lists can be customized via their enumeration function as well as using `lipgloss.Style`s. ```go enumeratorStyle := lipgloss.NewStyle().Foreground(lipgloss.Color("99")).MarginRight(1) itemStyle := lipgloss.NewStyle().Foreground(lipgloss.Color("212")).MarginRight(1) l := list.New( "Glossier", "Claire’s Boutique", "Nyx", "Mac", "Milk", ). Enumerator(list.Roman). EnumeratorStyle(enumeratorStyle). ItemStyle(itemStyle) ``` Print the list. <p align="center"> <img width="600" alt="List example" src="https://github.com/charmbracelet/lipgloss/assets/42545625/360494f1-57fb-4e13-bc19-0006efe01561"> </p> In addition to the predefined enumerators (`Arabic`, `Alphabet`, `Roman`, `Bullet`, `Tree`), you may also define your own custom enumerator: ```go l := list.New("Duck", "Duck", "Duck", "Duck", "Goose", "Duck", "Duck") func DuckDuckGooseEnumerator(l list.Items, i int) string { if l.At(i).Value() == "Goose" { return "Honk →" } return "" } l = l.Enumerator(DuckDuckGooseEnumerator) ``` Print the list: <p align="center"> <img width="600" alt="image" src="https://github.com/charmbracelet/lipgloss/assets/42545625/157aaf30-140d-4948-9bb4-dfba46e5b87e"> </p> If you need, you can also build lists incrementally: ```go l := list.New() for i := 0; i < repeat; i++ { l.Item("Lip Gloss") } ``` *** <a href="https://charm.sh/"><img alt="The Charm logo" src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a> Thoughts? Questions? We love hearing from you. Feel free to reach out on [Twitter](https://twitter.com/charmcli), [The Fediverse](https://mastodon.technology/@​charm), or on [Discord](https://charm.sh/chat). ### [`v0.11.1`](https://togithub.com/charmbracelet/lipgloss/releases/tag/v0.11.1) [Compare Source](https://togithub.com/charmbracelet/lipgloss/compare/v0.11.0...v0.11.1) This release is a small patch release to fix text truncation in table cells. For details see: [https://github.com/charmbracelet/lipgloss/issues/324](https://togithub.com/charmbracelet/lipgloss/issues/324). #### Other stuff - chore: remove deprecated Copy() calls by [@​meowgorithm](https://togithub.com/meowgorithm) in [https://github.com/charmbracelet/lipgloss/pull/306](https://togithub.com/charmbracelet/lipgloss/pull/306) - feat: deprecate Style.ColorWhitespace by [@​meowgorithm](https://togithub.com/meowgorithm) in [https://github.com/charmbracelet/lipgloss/pull/311](https://togithub.com/charmbracelet/lipgloss/pull/311) - feat: deprecate Style.ColorWhitespace by [@​meowgorithm](https://togithub.com/meowgorithm) in [https://github.com/charmbracelet/lipgloss/pull/314](https://togithub.com/charmbracelet/lipgloss/pull/314) - fix: Deprecate UnsetBorderTopBackgroundColor in favor of UnsetBorderTopBackground by [@​nervo](https://togithub.com/nervo) in [https://github.com/charmbracelet/lipgloss/pull/315](https://togithub.com/charmbracelet/lipgloss/pull/315) **Full Changelog**: charmbracelet/lipgloss@v0.11.0...v0.11.1 *** <a href="https://charm.sh/"><img alt="The Charm logo" src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a> Thoughts? Questions? We love hearing from you. Feel free to reach out on [Twitter](https://twitter.com/charmcli), [The Fediverse](https://mastodon.technology/@​charm), or [Discord](https://charm.sh/discord). </details> <details> <summary>gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)</summary> ### [`v0.5.5`](https://togithub.com/gkampitakis/go-snaps/compare/v0.5.4...v0.5.5) [Compare Source](https://togithub.com/gkampitakis/go-snaps/compare/v0.5.4...v0.5.5) </details> <details> <summary>google/go-containerregistry (github.com/google/go-containerregistry)</summary> ### [`v0.20.1`](https://togithub.com/google/go-containerregistry/releases/tag/v0.20.1) [Compare Source](https://togithub.com/google/go-containerregistry/compare/v0.20.0...v0.20.1) #### What's Changed - Create `remote.Push` by [@​mattmoor](https://togithub.com/mattmoor) in [https://github.com/google/go-containerregistry/pull/1978](https://togithub.com/google/go-containerregistry/pull/1978) **Full Changelog**: google/go-containerregistry@v0.20.0...v0.20.1 ### [`v0.20.0`](https://togithub.com/google/go-containerregistry/releases/tag/v0.20.0) [Compare Source](https://togithub.com/google/go-containerregistry/compare/v0.19.2...v0.20.0) #### What's Changed - Referrer API must return correct Content-Type by [@​GregoireW](https://togithub.com/GregoireW) in [https://github.com/google/go-containerregistry/pull/1968](https://togithub.com/google/go-containerregistry/pull/1968) - 🚨 POTENTIALLY BREAKING: Restore blind-write to remote.Put by [@​jonjohnsonjr](https://togithub.com/jonjohnsonjr) in [https://github.com/google/go-containerregistry/pull/1970](https://togithub.com/google/go-containerregistry/pull/1970) #### New Contributors - [@​GregoireW](https://togithub.com/GregoireW) made their first contribution in [https://github.com/google/go-containerregistry/pull/1968](https://togithub.com/google/go-containerregistry/pull/1968) **Full Changelog**: google/go-containerregistry@v0.19.2...v0.20.0 </details> <details> <summary>owenrumney/go-sarif (github.com/owenrumney/go-sarif/v2)</summary> ### [`v2.3.3`](https://togithub.com/owenrumney/go-sarif/releases/tag/v2.3.3) [Compare Source](https://togithub.com/owenrumney/go-sarif/compare/v2.3.2...v2.3.3) #### What's Changed - fix: Update removed goreleaser flag by [@​kaiwenleee](https://togithub.com/kaiwenleee) in [https://github.com/owenrumney/go-sarif/pull/79](https://togithub.com/owenrumney/go-sarif/pull/79) **Full Changelog**: owenrumney/go-sarif@v2.3.2...v2.3.3 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MzEuNCIsInVwZGF0ZWRJblZlciI6IjM3LjQzOC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
https://docs.github.com/en/issues/using-labels-and-milestones-to-track-work/managing-labels#applying-a-label > Anyone with triage access to a repository can apply and dismiss labels.
Copying the `EcosystemSpecific` data from the `Manifest` to the `ManifestPatch` is a bit cumbersome for the override strategy, and `ManifestPatch` already has a field for the original manifest. I don't think the current Maven `EcosystemSpecific` data is ever going to differ from the what's in the original manifest?
Currently, Maven dependency management is not added to the override client so they are not considered when computing Maven dependency graph. This PR adds all direct dependency management to override client so that transitive dependencies are resolved correctly.
…er group (#1132) Bumps the bundler group in /docs with 1 update: [rexml](https://github.com/ruby/rexml). Updates `rexml` from 3.3.1 to 3.3.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ruby/rexml/releases">rexml's releases</a>.</em></p> <blockquote> <h2>REXML 3.3.2 - 2024-07-16</h2> <h3>Improvements</h3> <ul> <li> <p>Improved parse performance.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/160">GH-160</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Improved parse performance.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/169">GH-169</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/170">GH-170</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/171">GH-171</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/172">GH-172</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/173">GH-173</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/174">GH-174</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/175">GH-175</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/176">GH-176</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/177">GH-177</a></li> <li>Patch by Watson.</li> </ul> </li> <li> <p>Added support for raising a parse exception when an XML has extra content after the root element.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/161">GH-161</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Added support for raising a parse exception when an XML declaration exists in wrong position.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/162">GH-162</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Removed needless a space after XML declaration in pretty print mode.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/164">GH-164</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Stopped to emit <code>:text</code> event after the root element.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/167">GH-167</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> </ul> <h3>Fixes</h3> <ul> <li>Fixed a bug that SAX2 parser doesn't expand predefined entities for <code>characters</code> callback. <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/168">GH-168</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> </ul> <h3>Thanks</h3> <ul> <li> <p>NAITOH Jun</p> </li> <li> <p>Watson</p> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ruby/rexml/blob/master/NEWS.md">rexml's changelog</a>.</em></p> <blockquote> <h2>3.3.2 - 2024-07-16 {#version-3-3-2}</h2> <h3>Improvements</h3> <ul> <li> <p>Improved parse performance.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/160">GH-160</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Improved parse performance.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/169">GH-169</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/170">GH-170</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/171">GH-171</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/172">GH-172</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/173">GH-173</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/174">GH-174</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/175">GH-175</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/176">GH-176</a></li> <li><a href="https://redirect.github.com/ruby/rexml/issues/177">GH-177</a></li> <li>Patch by Watson.</li> </ul> </li> <li> <p>Added support for raising a parse exception when an XML has extra content after the root element.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/161">GH-161</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Added support for raising a parse exception when an XML declaration exists in wrong position.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/162">GH-162</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Removed needless a space after XML declaration in pretty print mode.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/164">GH-164</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Stopped to emit <code>:text</code> event after the root element.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/167">GH-167</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> </ul> <h3>Fixes</h3> <ul> <li>Fixed a bug that SAX2 parser doesn't expand predefined entities for <code>characters</code> callback. <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/168">GH-168</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> </ul> <h3>Thanks</h3> <ul> <li> <p>NAITOH Jun</p> </li> <li> <p>Watson</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ruby/rexml/commit/2b285ac0804f2918de642f7ed4646dc6d645a7fc"><code>2b285ac</code></a> Add 3.3.2 entry</li> <li><a href="https://github.com/ruby/rexml/commit/0e33d3adfb5069b20622e5ed9393d10b8cc17b40"><code>0e33d3a</code></a> test: improve linear performance test names</li> <li><a href="https://github.com/ruby/rexml/commit/910e5a2b487cb5a30989884a39f9cad2cc499cfc"><code>910e5a2</code></a> Fix performance issue caused by using repeated <code>></code> characters inside `<xml><!...</li> <li><a href="https://github.com/ruby/rexml/commit/1f1e6e9b40bf339894e843dfd679c2fb1a5ddbf2"><code>1f1e6e9</code></a> Fix ReDoS by using repeated space characters inside `<!DOCTYPE name [<!ATTLIS...</li> <li><a href="https://github.com/ruby/rexml/commit/1cc1d9a74ede52f3d9ce774cafb11c57b3905165"><code>1cc1d9a</code></a> Suppress have_root not initialized warnings on Ruby < 3</li> <li><a href="https://github.com/ruby/rexml/commit/67efb5951ed09dbb575c375b130a1e469f437d1f"><code>67efb59</code></a> Fix performance issue caused by using repeated <code>></code> characters inside `<!DOCTY...</li> <li><a href="https://github.com/ruby/rexml/commit/a79ac8b4b42a9efabe33a0be31bd82d33fd50347"><code>a79ac8b</code></a> Fix performance issue caused by using repeated <code>></code> characters inside `<!DOCTY...</li> <li><a href="https://github.com/ruby/rexml/commit/c33ea498102be65082940e8b7d6d31cb2c6e6ee2"><code>c33ea49</code></a> Fix performance issue caused by using repeated <code>></code> characters after ` <!DOCTY...</li> <li><a href="https://github.com/ruby/rexml/commit/9f1415a2616c77cad44a176eee90e8457b4774b6"><code>9f1415a</code></a> Fix performance issue caused by using repeated <code>></code> characters inside `CDATA [...</li> <li><a href="https://github.com/ruby/rexml/commit/c1b64c174ec2e8ca2174c51332670e3be30c865f"><code>c1b64c1</code></a> Fix performance issue caused by using repeated <code>></code> characters inside comments...</li> <li>Additional commits viewable in <a href="https://github.com/ruby/rexml/compare/v3.3.1...v3.3.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/google/osv-scanner/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Xueqin Cui <[email protected]>
This adds a new "vertical" output format that is designed for humans and based on the output of `osv-detector`, which effectively aims to group the output relating to each entity being scanned in vertical slices: <img width="898" alt="image" src="https://github.com/google/osv-scanner/assets/3151613/61297153-5c22-43a4-a78e-e07ce648142a"> Unfortunately I think it suffers significantly due to the assumptions made by the rest of the codebase for outputting that made sense when the final output was a table i.e. we dump a lot of information as we go about scanning, config files, vulnerability filtering, and so on that really should be grouped but currently cannot because they're all outputted at different stages - I think a way to address that could be using some sort of event-emitter type pattern so that the reporters could be responsible for deciding what they actually do (e.g. `r.Emit("filtered-vulnerability", ...)` and then most reporters could choose to just print immediately, and ones like "vertical" could choose to add it to an internal struct), but I think that'll involve a lot more work; for now I'm just going to ignore the pre-results output. Resolves #85
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | alpine | final | digest | `b89d9c9` -> `0a4eaa0` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
…#1144) [](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | digest | `0642d4f` -> `48aac60` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/gkampitakis/go-snaps](https://togithub.com/gkampitakis/go-snaps) | `v0.5.5` -> `v0.5.6` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/urfave/cli/v2](https://togithub.com/urfave/cli) | `v2.27.2` -> `v2.27.3` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)</summary> ### [`v0.5.6`](https://togithub.com/gkampitakis/go-snaps/releases/tag/v0.5.6) [Compare Source](https://togithub.com/gkampitakis/go-snaps/compare/v0.5.5...v0.5.6) #### What's Changed - feat: support matchStandaloneSnapshot by [@​gkampitakis](https://togithub.com/gkampitakis) in [https://github.com/gkampitakis/go-snaps/pull/102](https://togithub.com/gkampitakis/go-snaps/pull/102) - feat: support setting file extension by [@​gkampitakis](https://togithub.com/gkampitakis) in [https://github.com/gkampitakis/go-snaps/pull/102](https://togithub.com/gkampitakis/go-snaps/pull/102) **Full Changelog**: gkampitakis/go-snaps@v0.5.5...v0.5.6 </details> <details> <summary>urfave/cli (github.com/urfave/cli/v2)</summary> ### [`v2.27.3`](https://togithub.com/urfave/cli/releases/tag/v2.27.3) [Compare Source](https://togithub.com/urfave/cli/compare/v2.27.2...v2.27.3) #### What's Changed - v2 Docs: Mention value from env as default value by [@​sj14](https://togithub.com/sj14) in [https://github.com/urfave/cli/pull/1910](https://togithub.com/urfave/cli/pull/1910) - Bump github.com/xrash/smetrics dependency by [@​elezar](https://togithub.com/elezar) in [https://github.com/urfave/cli/pull/1911](https://togithub.com/urfave/cli/pull/1911) - fix: disable bash completion if double dash is included in arguments (v2) by [@​suzuki-shunsuke](https://togithub.com/suzuki-shunsuke) in [https://github.com/urfave/cli/pull/1938](https://togithub.com/urfave/cli/pull/1938) - Fix improper whitespace formatting in usageTemplate, AppHelpTemplate … by [@​caeret](https://togithub.com/caeret) in [https://github.com/urfave/cli/pull/1947](https://togithub.com/urfave/cli/pull/1947) #### New Contributors - [@​sj14](https://togithub.com/sj14) made their first contribution in [https://github.com/urfave/cli/pull/1910](https://togithub.com/urfave/cli/pull/1910) - [@​elezar](https://togithub.com/elezar) made their first contribution in [https://github.com/urfave/cli/pull/1911](https://togithub.com/urfave/cli/pull/1911) - [@​caeret](https://togithub.com/caeret) made their first contribution in [https://github.com/urfave/cli/pull/1947](https://togithub.com/urfave/cli/pull/1947) **Full Changelog**: urfave/cli@v2.27.2...v2.27.3 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [docker/login-action](https://togithub.com/docker/login-action) | action | digest | `0d4c9c5` -> `9780b0c` | | [docker/setup-buildx-action](https://togithub.com/docker/setup-buildx-action) | action | digest | `4fd8129` -> `aa33708` | | [docker/setup-qemu-action](https://togithub.com/docker/setup-qemu-action) | action | digest | `5927c83` -> `49b3bc8` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v3.25.13` -> `v3.25.15` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.3.3` -> `v2.4.0` | | [ruby/setup-ruby](https://togithub.com/ruby/setup-ruby) | action | minor | `v1.187.0` -> `v1.190.0` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.25.15`](https://togithub.com/github/codeql-action/compare/v3.25.14...v3.25.15) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.14...v3.25.15) ### [`v3.25.14`](https://togithub.com/github/codeql-action/compare/v3.25.13...v3.25.14) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.13...v3.25.14) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.4.0`](https://togithub.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0) </details> <details> <summary>ruby/setup-ruby (ruby/setup-ruby)</summary> ### [`v1.190.0`](https://togithub.com/ruby/setup-ruby/releases/tag/v1.190.0) [Compare Source](https://togithub.com/ruby/setup-ruby/compare/v1.189.0...v1.190.0) ##### What's Changed - Update CRuby releases on Windows by [@​ruby-builder-bot](https://togithub.com/ruby-builder-bot) in [https://github.com/ruby/setup-ruby/pull/628](https://togithub.com/ruby/setup-ruby/pull/628) **Full Changelog**: ruby/setup-ruby@v1.189.0...v1.190.0 ### [`v1.189.0`](https://togithub.com/ruby/setup-ruby/releases/tag/v1.189.0) [Compare Source](https://togithub.com/ruby/setup-ruby/compare/v1.188.0...v1.189.0) #### What's Changed - docs: update ruby-version comment by [@​chenrui333](https://togithub.com/chenrui333) in [https://github.com/ruby/setup-ruby/pull/626](https://togithub.com/ruby/setup-ruby/pull/626) - Add ruby-3.2.5 by [@​ruby-builder-bot](https://togithub.com/ruby-builder-bot) in [https://github.com/ruby/setup-ruby/pull/627](https://togithub.com/ruby/setup-ruby/pull/627) #### New Contributors - [@​chenrui333](https://togithub.com/chenrui333) made their first contribution in [https://github.com/ruby/setup-ruby/pull/626](https://togithub.com/ruby/setup-ruby/pull/626) **Full Changelog**: ruby/setup-ruby@v1.188.0...v1.189.0 ### [`v1.188.0`](https://togithub.com/ruby/setup-ruby/releases/tag/v1.188.0) [Compare Source](https://togithub.com/ruby/setup-ruby/compare/v1.187.0...v1.188.0) ##### What's Changed - Add truffleruby-24.0.2,truffleruby+graalvm-24.0.2 by [@​ruby-builder-bot](https://togithub.com/ruby-builder-bot) in [https://github.com/ruby/setup-ruby/pull/625](https://togithub.com/ruby/setup-ruby/pull/625) **Full Changelog**: ruby/setup-ruby@v1.187.0...v1.188.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
This PR includes some improvements on Maven manifest updater: - rename functions from `update` to `write` - trimming white space when writing a new string value - for dependency with an empty version, keep looking for non-empty requirement
Run hourly and increase operations per run This will allow a single pass through all the existing issues to complete, and react to removing the stale label with less latency https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28#primary-rate-limit-for-github_token-in-github-actions
[](https://renovatebot.com) This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MzguMCIsInVwZGF0ZWRJblZlciI6IjM3LjQzOC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
…return an non zero exit code in osv-reporter (#1152) If all vulnerabilities are not called, don't return an non zero exit code in osv-reporter.
When Maven looks for the parent POM, it first looks up the specified relative path, then look for the default relative path which is `../pom.xml`, and lastly in the remote repository. If only a directory is specified in relative path, `pom.xml` will be looked automatically. Reference: https://maven.apache.org/ref/3.9.8/maven-model/maven.html#parent Currently, OSV-Scanner only do some steps above, this PR corrects this. Also, considering both `internal/manifest` and `internal/resolution/manifest` require basically the same logic for merging parent POM, I would like to refactor this in a following PR.
…ave defined `<classifier>` or `<type>` (#1151) There is currently no way in the deps.dev API to determine the Maven classifier/type that exist for a given version of a package. Not knowing this, the override strategy can end up bumping to a version that does not exist, which would cause a compilation failure that can't be detected in-code. I'm avoiding the bigger issue here by just explicitly preventing remediation for those artifacts... This will also prevent the infinite loop I mentioned in #1025 (comment)
There are two places we read Maven pom.xml: - Transitive scanning in `internal/manifest` - Guided remediation in `internal/resolution/manifest` Both share the same logic to merge parents, so this PR consolidates the implementation in `internal/manifest`. This PR also updates `deps.dev` dependencies to the latest version.
Fix updated snapshots to make merging possible.
This way they're easily identifiable for later review Add a nudge to encourage contribution for stale issues. Convert message text to multiline strings for ease of future maintenance Aggregate related configuration for ease of comprehension and future maintenance
…erride (#1136) #1141 Adds `--strategy=override` for `osv-scanner fix --non-interactive` for `pom.xml` manifest files. For now interactive mode will print an error telling you to use non-interactive mode if you try `pom.xml`. Also, made non-interactive mode decide which strategy to use if not explicitly specified based on the provided manifests / lockfiles.
…er group (#1158) Bumps the bundler group in /docs with 1 update: [rexml](https://github.com/ruby/rexml). Updates `rexml` from 3.3.2 to 3.3.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ruby/rexml/releases">rexml's releases</a>.</em></p> <blockquote> <h2>REXML 3.3.3 - 2024-08-01</h2> <h3>Improvements</h3> <ul> <li> <p>Added support for detecting invalid XML that has unsupported content before root element</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/184">GH-184</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Added support for <code>REXML::Security.entity_expansion_limit=</code> and <code>REXML::Security.entity_expansion_text_limit=</code> in SAX2 and pull parsers</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/187">GH-187</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Added more tests for invalid XMLs.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/183">GH-183</a></li> <li>Patch by Watson.</li> </ul> </li> <li> <p>Added more performance tests.</p> <ul> <li>Patch by Watson.</li> </ul> </li> <li> <p>Improved parse performance.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/186">GH-186</a></li> <li>Patch by tomoya ishida.</li> </ul> </li> </ul> <h3>Thanks</h3> <ul> <li> <p>NAITOH Jun</p> </li> <li> <p>Watson</p> </li> <li> <p>tomoya ishida</p> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ruby/rexml/blob/master/NEWS.md">rexml's changelog</a>.</em></p> <blockquote> <h2>3.3.3 - 2024-08-01 {#version-3-3-3}</h2> <h3>Improvements</h3> <ul> <li> <p>Added support for detecting invalid XML that has unsupported content before root element</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/184">GH-184</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Added support for <code>REXML::Security.entity_expansion_limit=</code> and <code>REXML::Security.entity_expansion_text_limit=</code> in SAX2 and pull parsers</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/187">GH-187</a></li> <li>Patch by NAITOH Jun.</li> </ul> </li> <li> <p>Added more tests for invalid XMLs.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/183">GH-183</a></li> <li>Patch by Watson.</li> </ul> </li> <li> <p>Added more performance tests.</p> <ul> <li>Patch by Watson.</li> </ul> </li> <li> <p>Improved parse performance.</p> <ul> <li><a href="https://redirect.github.com/ruby/rexml/issues/186">GH-186</a></li> <li>Patch by tomoya ishida.</li> </ul> </li> </ul> <h3>Thanks</h3> <ul> <li> <p>NAITOH Jun</p> </li> <li> <p>Watson</p> </li> <li> <p>tomoya ishida</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ruby/rexml/commit/e4a067e11235a2ec7a00616d41350485e384ec05"><code>e4a067e</code></a> Add 3.3.3 entry</li> <li><a href="https://github.com/ruby/rexml/commit/17ff3e78745b31db4e841357e8eed2f6669bea7b"><code>17ff3e7</code></a> test: add a performance test for attribute list declaration</li> <li><a href="https://github.com/ruby/rexml/commit/be86b3de0aca8394534b715a83a63bf51c5195f5"><code>be86b3d</code></a> test: fix wrong test name</li> <li><a href="https://github.com/ruby/rexml/commit/b93d790b36c065a3f7f3e0c3f5b2b71254a4d96d"><code>b93d790</code></a> test: use double quote for string literal</li> <li><a href="https://github.com/ruby/rexml/commit/0fbe7d5a0eac8cfaffa6c3b27f3b9a90061a0fbc"><code>0fbe7d5</code></a> test: don't use abbreviated name</li> <li><a href="https://github.com/ruby/rexml/commit/1599e8785f2d7734169aeb37a0b5d94f8212356d"><code>1599e87</code></a> test: add a performance test for PI with many tabs</li> <li><a href="https://github.com/ruby/rexml/commit/e2546e6ecade16b04c9ee528e5be8509fe16c2d6"><code>e2546e6</code></a> parse pi: improve invalid case detection</li> <li><a href="https://github.com/ruby/rexml/commit/73661ef281f5a829f7fec4ea673d42436c533ded"><code>73661ef</code></a> test: fix a typo</li> <li><a href="https://github.com/ruby/rexml/commit/850488abf20f9327ebc00094cd3bb64eea400a59"><code>850488a</code></a> test: use double quote for string literal</li> <li><a href="https://github.com/ruby/rexml/commit/46c6397d5c647a700fb1817d0093471621d92a27"><code>46c6397</code></a> test: add performance tests for entity declaration</li> <li>Additional commits viewable in <a href="https://github.com/ruby/rexml/compare/v3.3.2...v3.3.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/google/osv-scanner/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Xueqin Cui <[email protected]>
Pre-release is failing due to a vulnerability on dependency `github.com/docker/docker` and this PR updates it to the latest version.
Update changelog for v1.8.3
](https://renovatebot.com){kind=link}
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1,32 @@ | |||
| name: "Close stale issues and PRs" | |||
Check failure
Code scanning / Scorecard
Token-Permissions High
| stale: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/stale@v9 |
Check warning
Code scanning / Scorecard
Pinned-Dependencies Medium
cuixq
approved these changes
Aug 7, 2024
|
We will fix the token permission issue on main branch. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.