From 32a98068e1329c2c1ba41a929bbec454733138da Mon Sep 17 00:00:00 2001 From: Patrick Sullivan Date: Fri, 29 Sep 2023 13:34:10 -0400 Subject: [PATCH] fix(monorepo): Resolved Prototype Pollution in minimist dependency For more info please see [the associated Dependabot alert](https://github.com/stormstack/stormstack/security/dependabot/28) --- .github/workflows/greetings.yml | 10 +++++++++- package.json | 3 ++- pnpm-lock.yaml | 12 ++++-------- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml index 0abd600f5..5b9558b78 100644 --- a/.github/workflows/greetings.yml +++ b/.github/workflows/greetings.yml @@ -2,6 +2,14 @@ name: "Greetings" on: [pull_request_target, issues] +env: + CI: true + NX_DAEMON: false + NX_VERBOSE_LOGGING: true + GITHUB_ACTOR: "🤖 Storm Bot" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + jobs: greeting: runs-on: ubuntu-latest @@ -12,5 +20,5 @@ jobs: - uses: actions/first-interaction@v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: "Thank you for your interest in this project! We will review this issue and reach out to you ASAP.' first issue" + issue-message: "Thank you for your interest in this project! We will review this issue and reach out to you ASAP" pr-message: "We sincerely appreciate your effort/interest in contributing to this project. We will review this change and get back to you ASAP. Please feel free to reach out to the DEV team if you have any questions/comments." diff --git a/package.json b/package.json index e5da9a56f..051e5127e 100644 --- a/package.json +++ b/package.json @@ -94,7 +94,8 @@ }, "prettier": "./dist/tools/devops/config/prettier/index.js", "resolutions": { - "graphql": "^16.8.0" + "graphql": "^16.8.0", + "minimist": "^1.2.6" }, "dependencies": { "@cloudflare/workers-types": "^4.20230904.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 6971d6f31..cde9d5feb 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,6 +6,7 @@ settings: overrides: graphql: ^16.8.0 + minimist: ^1.2.6 patchedDependencies: '@graphql-hive/client@0.24.1': @@ -4835,7 +4836,7 @@ packages: '@commitlint/types': 17.4.4 '@types/node': 20.4.7 chalk: 4.1.0 - cosmiconfig: 8.3.6(typescript@5.2.0-beta) + cosmiconfig: 8.3.6(typescript@4.9.5) cosmiconfig-typescript-loader: 4.4.0(@types/node@20.4.7)(cosmiconfig@8.3.6)(ts-node@10.9.1)(typescript@4.9.5) lodash.isplainobject: 4.0.6 lodash.merge: 4.6.2 @@ -21225,7 +21226,7 @@ packages: typescript: '>=4' dependencies: '@types/node': 20.4.7 - cosmiconfig: 8.3.6(typescript@5.2.0-beta) + cosmiconfig: 8.3.6(typescript@4.9.5) ts-node: 10.9.1(@swc/core@1.3.90)(@types/node@20.4.7)(typescript@4.9.5) typescript: 4.9.5 @@ -21283,7 +21284,6 @@ packages: parse-json: 5.2.0 path-type: 4.0.0(patch_hash=t2y4p5c63ifj2lrtth34hk3bda) typescript: 4.9.5 - dev: false /cosmiconfig@8.3.6(typescript@5.2.0-beta): resolution: {integrity: sha512-kcZ6+W5QzcJ3P1Mt+83OUv/oHFqZHIx8DuxG6eZ5RGMERoLqp4BuGjhHLYGK+Kf5XVkQvqBSmAy/nGWN3qDgEA==} @@ -31226,10 +31226,6 @@ packages: kind-of: 6.0.3 dev: true - /minimist@0.0.8: - resolution: {integrity: sha512-miQKw5Hv4NS1Psg2517mV4e4dYNaO3++hjAvLOAzKqZ61rH8NS1SK+vbfBWZ5PY/Me/bEWhUwqMghEW5Fb9T7Q==} - dev: false - /minimist@1.2.7: resolution: {integrity: sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g==} @@ -31331,7 +31327,7 @@ packages: deprecated: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) hasBin: true dependencies: - minimist: 0.0.8 + minimist: 1.2.8 dev: false /mkdirp@0.5.6: