halospv3 / hce.shared Goto Github PK

View Code? Open in Web Editor NEW

1.0 1.0 0.0 2.59 MB

Infrastructure resources shared with other HaloSPV3 repositories.

Home Page: https://www.npmjs.com/package/@halospv3/hce.shared-config

License: MIT License

Shell 0.15% TypeScript 91.36% JavaScript 5.88% PowerShell 2.61%

npm semantic-release-config

hce.shared's People

Contributors

Stargazers

Watchers

hce.shared's Issues

`semanticReleaseConfigDotnet#appendPlugins` was broken by an async promise a long time ago

OH! F***!

That's a Promise where a Promise's result should be!

Affects ^2.3.0 and all of next/3.0.0.

Blame 09d4202 feat(dotnet, node): convert static "Semantic Release Dotnet" to dynamic, exported config object

CVE-2022-21681 (High) detected in marked-2.1.3.tgz - autoclosed

CVE-2022-21681 - High Severity Vulnerability

Vulnerable Library - marked-2.1.3.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-2.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

semantic-release-18.0.1.tgz (Root Library)
- ❌ marked-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: c582aa25b59f324ce3d0e9df88ea24683f98cde0

Found in base branch: main

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21681

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5v2h-r2cx-5xgj

Release Date: 2022-01-14

Fix Resolution: marked - 4.0.10

Step up your Open Source Security Game with WhiteSource here

TODO: rewrite semanticReleaseConfigDotnet.ts and related files to improve NuGet functionality

semanticReleaseConfigDotnet.ts

NuGet clients and server APIs do not implement --dry-run functionality. The request for it has been open for three years with no progress. So, I have to improvise effectively-equivalent functionality out of existing NuGet features.

If the authorization token DOES NOT have permission to push new versions/packages for the given package ID, fail the release.
If the package ID already has the new version listed, fail the release.

Both are accomplished by the following:

grab the new version during Prepare
copy our pre-made, lightweight v0.0.1-DUMMY dummy package. Overwrite its PackageID with the real ID.
query the NuGet source (i.e. package registry/server) for the package ID and check the existing package versions for the "new version" we want to publish.
dotnet nuget push ./publish/${PackageId}.0.0.1-DUMMY.nupkg -source NugetSourceName --api-key private_token --skip duplicate.

--skip-duplicate tells the Source and client it's okay if the dummy package already exists.
If we do not receive an error, proceed. If the error is 403, then the token was denied access. This can happen if "the token is invlaid, unrecognized, or was denied access to the Source" (private, GitLab, GitHub), "the token has Write or Delete permission for one or more packages, but was used for an package ID it's not authorized to access" (NuGet.org, private), or "the token was created without Write or Delete permissions" (any source). If any error occurs, including 403, add the error to an array.

Repeat for every given PackageId, per each NuGet source. Each PackageId will need one auth token per Source.

After all test pushes finish and if the error array is not empty, throw new AggregateError(errors) and halt the release procedure. Otherwise, proceed with the rest of the release procedure.

I'll need:

new FileInfo class for MSBuildProject constructor parameter. Ensures the parameter passed to the constructor represents an existing file. Dirent is close, but requires extra steps to get. Our TypeScript/JavaScript runtime will not read the project file's contents directly—we delegate that to Dotnet CLI's dotnet msbuild -getProperty:PropertyName0 -getProperty:PropertyName1 ... to evaluate MSBuild properties.
NugetRegistryInfo constructor with MSBuildProject parameter
...

CVE-2022-29244 (Medium) detected in npm-8.5.0.tgz - autoclosed

CVE-2022-29244 - Medium Severity Vulnerability

Vulnerable Library - npm-8.5.0.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-8.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy:

npm-9.0.1.tgz (Root Library)
- ❌ npm-8.5.0.tgz (Vulnerable Library)

Found in HEAD commit: ca9e973093b9d6f1b6a3be3bfaaca82349bdb5e3

Found in base branch: main

Vulnerability Details

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the patched version of npm (v8.11.0 or greater).

Publish Date: 2022-04-14

URL: CVE-2022-29244

CVSS 3 Score Details (5.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hj9c-8jmm-8c52

Release Date: 2022-04-14

Fix Resolution: npm - 8.11.0

Step up your Open Source Security Game with Mend here

release is failing

https://github.com/HaloSPV3/HCE.Shared/actions/runs/9305592576/job/25612897854

 [4:01:08 PM] [semantic-release] › ✘  An error occurred while running semantic-release: RangeError: Invalid time value
    at committerDate (/home/runner/work/HCE.Shared/HCE.Shared/node_modules/conventional-changelog-writer/index.js:80:30)
    at /home/runner/work/HCE.Shared/HCE.Shared/node_modules/conventional-changelog-writer/lib/util.js:202:17
    at Array.forEach (<anonymous>)
    at processCommit (/home/runner/work/HCE.Shared/HCE.Shared/node_modules/conventional-changelog-writer/lib/util.js:198:31)
    at /home/runner/work/HCE.Shared/HCE.Shared/node_modules/conventional-changelog-writer/index.js:123:32 {
  pluginName: '@semantic-release/release-notes-generator'
}
RangeError: Invalid time value
    at committerDate (/home/runner/work/HCE.Shared/HCE.Shared/node_modules/conventional-changelog-writer/index.js:80:30)
    at /home/runner/work/HCE.Shared/HCE.Shared/node_modules/conventional-changelog-writer/lib/util.js:202:17
    at Array.forEach (<anonymous>)
    at processCommit (/home/runner/work/HCE.Shared/HCE.Shared/node_modules/conventional-changelog-writer/lib/util.js:198:31)
    at /home/runner/work/HCE.Shared/HCE.Shared/node_modules/conventional-changelog-writer/index.js:123:32 {
  pluginName: '@semantic-release/release-notes-generator'
}
Error: Process completed with exit code 1.

Caused by breaking changes in conventional-changelog-* packages.

[next/3.0.0] Workflow is failing 😭 - NPM CI And Pack

https://github.com/HaloSPV3/HCE.Shared/actions/runs/9225461380
https://github.com/HaloSPV3/HCE.Shared/actions/runs/9225461380/job/25383001875#step:7:1

Why did globals suddenly decide it's JavaScript? What kind of identity crisis did it go through in the past 40 minutes?

Add branch `develop`

This branch is for staging changes for a release. This is most helpful for merging multiple Dependabot and Renovate PRs without triggering a release for each merge.

Todo

3.x: Configure Babel to never build CJS. See if that fixes the internal transpiler Error.
Configure Dependabot to analyze main? Only create Issues.
Configure Dependabot to base PRs onto develop
Configure Renovate to analyze main? Only create Issues.
Configure Renovate to base PRs onto develop
Push some/all of my local changes (commit incomplete changes to a feature branch?

CVE-2021-43307 (Medium) detected in semver-regex-3.1.3.tgz - autoclosed

CVE-2021-43307 - Medium Severity Vulnerability

Vulnerable Library - semver-regex-3.1.3.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-3.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

semantic-release-19.0.2.tgz (Root Library)
- find-versions-4.0.0.tgz
  - ❌ semver-regex-3.1.3.tgz (Vulnerable Library)

Found in HEAD commit: ca9e973093b9d6f1b6a3be3bfaaca82349bdb5e3

Found in base branch: main

Vulnerability Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Publish Date: 2022-06-02

URL: CVE-2021-43307

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/

Release Date: 2021-11-03

Fix Resolution: semver-regex - 3.1.4,4.0.3

Step up your Open Source Security Game with Mend here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions

.github/workflows/_dotnet-build.yml

actions/checkout v4

actions/setup-node v4

actions/setup-dotnet v4

.github/workflows/_dotnet-unit_test.yml

actions/checkout v4

actions/setup-node v4

actions/setup-dotnet v4

.github/workflows/conv-pull-requests.yml

Namchee/conventional-pr v0.15.4

.github/workflows/dotnet-release.yml

actions/checkout v4

actions/setup-node v4

actions/setup-dotnet v4

.github/workflows/npm-ci-and-pack.yml

actions/checkout v4

actions/setup-node v4

.github/workflows/npm-release.yml

actions/checkout v4

actions/setup-node v4

dotnet/.github/workflows/_unit_test.yml

actions/checkout v4

actions/setup-node v4

actions/setup-dotnet v4.0.0

dotnet/.github/workflows/dotnet-release.yml

actions/checkout v4

actions/setup-dotnet v4

actions/setup-node v4

dotnet/.github/workflows/sample-dotnet-build.yml

actions/checkout v4

actions/setup-dotnet v4

npm

package.json

@commitlint/cli ^19.3.0

@commitlint/config-conventional ^19.2.2

@commitlint/types ^19.0.3

@eslint/js ^9.3.0

@octokit/request ^9.1.0

@semantic-release/changelog ^6.0.3

@semantic-release/commit-analyzer ^13.0.0

@semantic-release/exec ^6.0.3

@semantic-release/git ^10.0.1

@semantic-release/github ^10.0.4

@semantic-release/npm ^12.0.0

@semantic-release/release-notes-generator ^14.0.0

@stylistic/eslint-plugin ^2.1.0

@types/eslint__js ^8.42.3

@types/js-yaml ^4.0.9

@types/node ^20.12.12

@types/semantic-release ^20.0.6

@typescript-eslint/eslint-plugin ^7.10.0

@typescript-eslint/parser ^7.10.0

conventional-changelog-conventionalcommits ^8.0.0

debug ^4.3.4

eslint-plugin-jsonc ^2.15.1

globals ^15.3.0

husky ^9.0.11

js-yaml ^4.1.0

node-fetch ^3.3.2

semantic-release ^24.0.0

semantic-release-export-data ^1.0.1

typescript-eslint ^7.10.0

@babel/cli ^7.24.6

@babel/core ^7.24.6

@babel/eslint-parser ^7.24.6

@eslint/eslintrc ^3.1.0

@tsconfig/node-lts ^20.1.2

@types/babel__core ^7.20.5

@types/debug ^4.1.12

@types/eslint__eslintrc ^2.1.1

@types/tmp ^0.2.6

ajv ^8.13.0

ajv-draft-04 ^1.0.0

dotenv ^16.4.5

eslint ^8.57.0

node-fetch ^3.3.2

packemon ^4.0.1

prettier ^3.2.5

prettier-config-moon ^1.1.2

tmp ^0.2.3

tslib ^2.6.2

tsx ^4.10.5

typescript ^5.4.5

node >=20.8.1

npm >=10.5.0

Check this box to trigger a request for Renovate to run again on this repository

CVE-2024-4068 (High) detected in braces-3.0.2.tgz

CVE-2024-4068 - High Severity Vulnerability

Vulnerable Library - braces-3.0.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

commit-analyzer-12.0.0.tgz (Root Library)
- micromatch-4.0.5.tgz
  - ❌ braces-3.0.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Publish Date: 2024-05-14

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-14

Fix Resolution: braces - 3.0.3

Step up your Open Source Security Game with Mend here

Workaround for lack of `dotnet nuget push --dry-run` will always fail for Nuget.org

While investigating #407, I stumbled upon a design failure which may require breaking changes to fix.

Problem 1

Our Nuget.org token tests will always respond with Error 403 (unauthorized) when using the same "static dummy package" strategy we use for GitHub and GitLab (W.I.P.). The generated package ID of the dummy package is "DUMMY". This package ID corresponds to the hidden package https://www.nuget.org/packages/DUMMY/ which almost none of our API users can push to. Hence, HTTP Error 403.

Problem 2

Even if the token has permission to push DUMMY to Nuget.org, it may lack permission to push the real packages, causing a critical failure partway through semantic release's publish step. Git tags and more will have been created by then, so the partial release will need to be cleaned up manually.

Proposal

Part 1: Object Type

A source is Nuget API URL { url: URL | string }
A source cannot be accessed without an API token. { tokenEnvVar: string }
- A token's value should be in memory for as little time as possible.
One or more package IDs must be paired with a token and source. A package can be pushed to multiple sources, but a package cannot have multiple tokens for one source. { packageIDs: string[] }

implements NugetRegistryPair?
extends NugetRegistryInformation?

class PushInfo {
  readonly url: URL | string;
  readonly tokenEnvVar: string
  get tokenValue(): undefined | string {
    // if not already in process.env, load .env file from process.cwd(), update process.env, and return the env var's value or undefined
    return getEnvVarValue(tokenEnvVar);
  }
}

Part 2: Implementation

Locate *.*proj using projectsToPackAndPush (array of glob strings)
Per-project, evaluate package IDs with dotnet msbuild ${projPath} -getProperty:PackageId to get their package IDs
If a given project ID does not exist at the given registry, set dummy version to 0.0.1-dummy.
- otherwise, set dummy's version to latest package version.
Don't forget --skip-duplicate!
Create a copy of DUMMY.*.nupkg (or create a new one with a custom ID; refactor createDummyNupkg) with Version 0.0.1-DUMMY.
- Can we de-list it to prevent clutter?
Optional: refactor dummy-push commands to semantic-release/exec's verifyConditionsCmd to conform to semantic-release expectations
Don't forget to allow signing dummy packages! Dummy packages may be rejected despite valid tokens if they are unsigned and pushed to a signed-only package ID!

CVE-2020-11022 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: HCE.Shared/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: ca9e973093b9d6f1b6a3be3bfaaca82349bdb5e3

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

ci: improve semantic-release config

move build/publish CLI commands to shell commands option. How will Workflow strategies' matrices still work? Env vars?

CVE-2020-7656 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: HCE.Shared/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: ca9e973093b9d6f1b6a3be3bfaaca82349bdb5e3

Found in base branch: main

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2023-42282 (Critical) detected in ip-2.0.0.tgz - autoclosed

CVE-2023-42282 - Critical Severity Vulnerability

Vulnerable Library - ip-2.0.0.tgz

[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

npm-11.0.2.tgz (Root Library)
- npm-10.2.5.tgz
  - make-fetch-happen-13.0.0.tgz
    - agent-2.2.0.tgz
      - socks-proxy-agent-8.0.2.tgz
        
        socks-2.7.1.tgz
        
        ❌ ip-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: dc097532c8da70ac6640935eca0fca499ad52886

Found in base branch: main

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution: ip - 1.1.9,2.0.1

Step up your Open Source Security Game with Mend here

Add instructions for ZipPublishDir.target!

How did I forget this?
Need to go in the Directory.Build.props section of README.md

<Import>$(ProjectRootDir)node_modules/@halospv3/hce.shared-config/dotnet/ZipPublishDir.targets</Import>

CVE-2024-28863 (Medium) detected in tar-6.2.0.tgz - autoclosed

CVE-2024-28863 - Medium Severity Vulnerability

Vulnerable Library - tar-6.2.0.tgz

Library home page: https://registry.npmjs.org/tar/-/tar-6.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

npm-12.0.0.tgz (Root Library)
- npm-10.5.0.tgz
  - ❌ tar-6.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Publish Date: 2024-03-21

URL: CVE-2024-28863

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f5x3-32g6-xq36

Release Date: 2024-03-21

Fix Resolution: tar - 6.2.1

Step up your Open Source Security Game with Mend here

npm-release is failing due to assertion error that should not be occurring

> @halospv3/[email protected] test
> node --test --import tsx ./tests/**/*.test.ts

TAP version 13
# Subtest: MSBuildProject
ok 1 - MSBuildProject # TODO custom properties?
  ---
  duration_ms: 1.300451
  ...
# Subtest: MSBuildProjectProperties
ok 2 - MSBuildProjectProperties # TODO
  ---
  duration_ms: 1.114886
  ...
# Subtest: dotnetGHPR
    # Subtest: getNugetGitHubUrl
        # Subtest: returns string when GITHUB_REPOSITORY_OWNER is defined
        ok 1 - returns string when GITHUB_REPOSITORY_OWNER is defined
          ---
          duration_ms: 1.554373
          ...
        # Subtest: returns undefined when GITHUB_REPOSITORY_OWNER is undefined
        ok 2 - returns undefined when GITHUB_REPOSITORY_OWNER is undefined
          ---
          duration_ms: 0.190806
          ...
        1..2
    ok 1 - getNugetGitHubUrl
      ---
      duration_ms: 2.668918
      type: 'suite'
      ...
    # Subtest: isTokenDefined
        # Subtest: is a function
        ok 1 - is a function
          ---
          duration_ms: 0.453284
          ...
        # Subtest: returns true when custom token is defined
        ok 2 - returns true when custom token is defined
          ---
          duration_ms: 0.504699
          ...
        # Subtest: returns false when custom token is undefined
        ok 3 - returns false when custom token is undefined
          ---
          duration_ms: 0.166349
          ...
        # Subtest: returns true when GITHUB_TOKEN is defined
        ok 4 - returns true when GITHUB_TOKEN is defined
          ---
          duration_ms: 0.290882
          ...
        # Subtest: returns true and fallback:"GH_TOKEN" when GITHUB_TOKEN is undefined, but fallback GH_TOKEN is defined
        ok 5 - returns true and fallback:"GH_TOKEN" when GITHUB_TOKEN is undefined, but fallback GH_TOKEN is defined
          ---
          duration_ms: 0.202998
          ...
        # Subtest: returns false and fallback:"GH_TOKEN" when GITHUB_TOKEN and GH_TOKEN are undefined
        ok 6 - returns false and fallback:"GH_TOKEN" when GITHUB_TOKEN and GH_TOKEN are undefined
          ---
          duration_ms: 0.911116
          ...
        1..6
    ok 2 - isTokenDefined
      ---
      duration_ms: 3.058494
      type: 'suite'
      ...
    # Subtest: getGithubNugetRegistryPair
        # Subtest: getGitHubNugetRegistryPair is function
        ok 1 - getGitHubNugetRegistryPair is function
          ---
          duration_ms: 0.339873
          ...
        # Subtest: can return when classic or workflow GITHUB_TOKEN or GH_TOKEN is defined with write:packages.
        not ok 2 - can return when classic or workflow GITHUB_TOKEN or GH_TOKEN is defined with write:packages.
          ---
          duration_ms: 9.739429
          location: '/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:1:3360'
          failureType: 'testCodeFailure'
          error: |-
            Expected values to be strictly equal:
            + actual - expected
            
            + TypeError: The environment variable GITHUB_TOKEN is undefined!
            +     at tokenCanWritePackages (/home/runner/work/HCE.Shared/HCE.Shared/cjs/dotnet/dotnetGHPR.cjs:17:39)
            +     at TestContext.<anonymous> (/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:154:31)
            +     at Test.runInAsyncScope (node:async_hooks:206:9)
            +     at Test.run (node:internal/test_runner/test:824:25)
            +     at Suite.processPendingSubtests (node:internal/test_runner/test:533:18)
            +     at Test.postRun (node:internal/test_runner/test:923:19)
            +     at Test.run (node:internal/test_runner/test:866:12)
            +     at async Promise.all (index 0)
            +     at async Suite.run (node:internal/test_runner/test:1183:7)
            +     at async Suite.processPendingSubtests (node:internal/test_runner/test:533:7)
            - true
          code: 'ERR_ASSERTION'
          name: 'AssertionError'
          expected: true
          actual:
          error: 'The environment variable GITHUB_TOKEN is undefined!'
          name: 'TypeError'
          stack: |-
            tokenCanWritePackages (/home/runner/work/HCE.Shared/HCE.Shared/cjs/dotnet/dotnetGHPR.cjs:17:39)
            TestContext.<anonymous> (/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:154:31)
            Test.runInAsyncScope (node:async_hooks:206:9)
            Test.run (node:internal/test_runner/test:824:25)
            Suite.processPendingSubtests (node:internal/test_runner/test:533:18)
            Test.postRun (node:internal/test_runner/test:923:19)
            Test.run (node:internal/test_runner/test:866:12)
            async Promise.all (index 0)
            async Suite.run (node:internal/test_runner/test:1183:7)
            async Suite.processPendingSubtests (node:internal/test_runner/test:533:7)
          operator: 'strictEqual'
          stack: |-
            TestContext.<anonymous> (/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:161:5)
            async Test.run (node:internal/test_runner/test:825:9)
            async Suite.processPendingSubtests (node:internal/test_runner/test:533:7)
          ...
        # Subtest: mock insufficient token
        ok 3 - mock insufficient token # TODO
          ---
          duration_ms: 0.143618
          ...
        # Subtest: mock sufficient token
        ok 4 - mock sufficient token # TODO
          ---
          duration_ms: 0.141574
          ...
        # Subtest: mock custom url
        ok 5 - mock custom url # TODO
          ---
          duration_ms: 0.117739
          ...
        1..5
    not ok 3 - getGithubNugetRegistryPair
      ---
      duration_ms: 10.990448
      type: 'suite'
      location: '/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:1:2842'
      failureType: 'subtestsFailed'
      error: '1 subtest failed'
      code: 'ERR_TEST_FAILURE'
      ...
    1..3
not ok 3 - dotnetGHPR
  ---
  duration_ms: 17.527646
  type: 'suite'
  location: '/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:1:708'
  failureType: 'subtestsFailed'
  error: '1 subtest failed'
  code: 'ERR_TEST_FAILURE'
  ...
# Subtest: dotnetGLPR
    # Subtest: GitLabTokenEnvVar
    ok 1 - GitLabTokenEnvVar
      ---
      duration_ms: 0.423308
      type: 'suite'
      ...
    # Subtest: nugetGitLabUrlBase
    ok 2 - nugetGitLabUrlBase
      ---
      duration_ms: 0.209459
      type: 'suite'
      ...
    # Subtest: nugetGitLabUrl
    ok 3 - nugetGitLabUrl
      ---
      duration_ms: 0.120995
      type: 'suite'
      ...
    # Subtest: getGitlabNugetRegistryPair
        # Subtest: is a function
        ok 1 - is a function
          ---
          duration_ms: 0.713669
          ...
        # Subtest: sufficient token permissions
        ok 2 - sufficient token permissions # TODO
          ---
          duration_ms: 0.132396
          ...
        # Subtest: insufficient token permissions
        ok 3 - insufficient token permissions # TODO
          ---
          duration_ms: 0.180176
          ...
        # Subtest: custom url
        ok 4 - custom url # TODO
          ---
          duration_ms: 0.206825
          ...
        # Subtest: custom token
        ok 5 - custom token # TODO
          ---
          duration_ms: 0.141243
          ...
        1..5
    ok 4 - getGitlabNugetRegistryPair
      ---
      duration_ms: 2.31521
      type: 'suite'
      ...
    1..4
ok 4 - dotnetGLPR
  ---
  duration_ms: 4.671677
  type: 'suite'
  ...
# Subtest: dotnetHelpers
    # Subtest: configurePrepareCmd
    ok 1 - configurePrepareCmd # TODO
      ---
      duration_ms: 1.216906
      ...
    # Subtest: nugetDefault is as expected
    ok 2 - nugetDefault is as expected
      ---
      duration_ms: 0.707157
      ...
    # Subtest: configureDotnetNugetPush works
    ok 3 - configureDotnetNugetPush works # TODO pushToGitHub adds github defaults
      ---
      duration_ms: 0.152414
      ...
    1..3
ok 5 - dotnetHelpers
  ---
  duration_ms: 3.718673
  type: 'suite'
  ...
1..5
# tests 23
# suites 10
# pass 11
# fail 1
# cancelled 0
# skipped 0
# todo 11
# duration_ms 468.588179
husky - pre-commit script failed (code 1)
    at makeError (/home/runner/work/HCE.Shared/HCE.Shared/node_modules/@semantic-release/git/node_modules/execa/lib/error.js:60:11)
    at handlePromise (/home/runner/work/HCE.Shared/HCE.Shared/node_modules/@semantic-release/git/node_modules/execa/index.js:118:26)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async commit (/home/runner/work/HCE.Shared/HCE.Shared/node_modules/@semantic-release/git/lib/git.js:38:3)
    at async module.exports (/home/runner/work/HCE.Shared/HCE.Shared/node_modules/@semantic-release/git/lib/prepare.js:63:5)
    at async prepare (/home/runner/work/HCE.Shared/HCE.Shared/node_modules/@semantic-release/git/index.js:28:3)
    at async validator (file:///home/runner/work/HCE.Shared/HCE.Shared/node_modules/semantic-release/lib/plugins/normalize.js:36:24)
    at async file:///home/runner/work/HCE.Shared/HCE.Shared/node_modules/semantic-release/lib/plugins/pipeline.js:38:36
    at async Promise.all (index 0)
    at async next (file:///home/runner/work/HCE.Shared/HCE.Shared/node_modules/semantic-release/node_modules/p-reduce/index.js:15:44) {
  shortMessage: 'Command failed with exit code 1: git commit -m chore(release): 2.5.0 [skip ci]\n' +
    '\n' +
    '## [2.5.0](https://github.com/halospv3/hce.shared/compare/v2.4.3...v2.5.0) (2024-06-04)\n' +
    '\n' +
    '### Features\n' +
    '\n' +
    '* overhaul dotnetGHPR; misc refactors ([8d0a1d6](https://github.com/halospv3/hce.shared/commit/8d0a1d657e7f4754881c9a130fd4aa8191fb3e81))\n' +
    '\n' +
    '### Bug Fixes\n' +
    '\n' +
    '* **deps:** update dependency conventional-changelog-conventionalcommits to v8 ([e1defcd](https://github.com/halospv3/hce.shared/commit/e1defcd94ba51eda7384c1ca87f33c9928610e20))\n' +
    '* **deps:** update semantic-release monorepo ([39fcf98](https://github.com/halospv3/hce.shared/commit/39fcf988fe55b894e269d64de1b48c7f8dfb950c))\n',
  command: 'git commit -m chore(release): 2.5.0 [skip ci]\n' +
    '\n' +
    '## [2.5.0](https://github.com/halospv3/hce.shared/compare/v2.4.3...v2.5.0) (2024-06-04)\n' +
    '\n' +
    '### Features\n' +
    '\n' +
    '* overhaul dotnetGHPR; misc refactors ([8d0a1d6](https://github.com/halospv3/hce.shared/commit/8d0a1d657e7f4754881c9a130fd4aa8191fb3e81))\n' +
    '\n' +
    '### Bug Fixes\n' +
    '\n' +
    '* **deps:** update dependency conventional-changelog-conventionalcommits to v8 ([e1defcd](https://github.com/halospv3/hce.shared/commit/e1defcd94ba51eda7384c1ca87f33c9928610e20))\n' +
    '* **deps:** update semantic-release monorepo ([39fcf98](https://github.com/halospv3/hce.shared/commit/39fcf988fe55b894e269d64de1b48c7f8dfb950c))\n',
  escapedCommand: 'git commit -m "chore(release): 2.5.0 [skip ci]\n' +
    '\n' +
    '## [2.5.0](https://github.com/halospv3/hce.shared/compare/v2.4.3...v2.5.0) (2024-06-04)\n' +
    '\n' +
    '### Features\n' +
    '\n' +
    '* overhaul dotnetGHPR; misc refactors ([8d0a1d6](https://github.com/halospv3/hce.shared/commit/8d0a1d657e7f4754881c9a130fd4aa8191fb3e81))\n' +
    '\n' +
    '### Bug Fixes\n' +
    '\n' +
    '* **deps:** update dependency conventional-changelog-conventionalcommits to v8 ([e1defcd](https://github.com/halospv3/hce.shared/commit/e1defcd94ba51eda7384c1ca87f33c9928610e20))\n' +
    '* **deps:** update semantic-release monorepo ([39fcf98](https://github.com/halospv3/hce.shared/commit/39fcf988fe55b894e269d64de1b48c7f8dfb950c))\n' +
    '"',
  exitCode: 1,
  signal: undefined,
  signalDescription: undefined,
  stdout: '',
  stderr: '\n' +
    '> @halospv3/[email protected] check\n' +
    '> npm run type && npm run test && npm run lint\n' +
    '\n' +
    '\n' +
    '> @halospv3/[email protected] type\n' +
    '> tsc --build\n' +
    '\n' +
    '\n' +
    '> @halospv3/[email protected] pretest\n' +
    '> npm run build\n' +
    '\n' +
    '\n' +
    '> @halospv3/[email protected] build\n' +
    '> packemon build --addExports --addFiles --declaration --loadConfigs\n' +
    '\n' +
    '[@halospv3/hce.shared-config:HCE] Entry module "src/semanticReleaseConfigDotnet.ts" is using named and default exports together. Consumers of your bundle will have to use `chunk.default` to access the default export, which may not be what you want. Use `output.exports: "named"` to disable this warning. (id=/home/runner/work/HCE.Shared/HCE.Shared/src/semanticReleaseConfigDotnet.ts)\n' +
    '@halospv3/hce.shared-config\n' +
    '  ◼ cjs (38.87 kB) ◼ dts 2.2s\n' +
    '\n' +
    '> @halospv3/[email protected] test\n' +
    '> node --test --import tsx ./tests/**/*.test.ts\n' +
    '\n' +
    'TAP version 13\n' +
    '# Subtest: MSBuildProject\n' +
    'ok 1 - MSBuildProject # TODO custom properties?\n' +
    '  ---\n' +
    '  duration_ms: 1.300451\n' +
    '  ...\n' +
    '# Subtest: MSBuildProjectProperties\n' +
    'ok 2 - MSBuildProjectProperties # TODO\n' +
    '  ---\n' +
    '  duration_ms: 1.114886\n' +
    '  ...\n' +
    '# Subtest: dotnetGHPR\n' +
    '    # Subtest: getNugetGitHubUrl\n' +
    '        # Subtest: returns string when GITHUB_REPOSITORY_OWNER is defined\n' +
    '        ok 1 - returns string when GITHUB_REPOSITORY_OWNER is defined\n' +
    '          ---\n' +
    '          duration_ms: 1.554373\n' +
    '          ...\n' +
    '        # Subtest: returns undefined when GITHUB_REPOSITORY_OWNER is undefined\n' +
    '        ok 2 - returns undefined when GITHUB_REPOSITORY_OWNER is undefined\n' +
    '          ---\n' +
    '          duration_ms: 0.190806\n' +
    '          ...\n' +
    '        1..2\n' +
    '    ok 1 - getNugetGitHubUrl\n' +
    '      ---\n' +
    '      duration_ms: 2.668918\n' +
    "      type: 'suite'\n" +
    '      ...\n' +
    '    # Subtest: isTokenDefined\n' +
    '        # Subtest: is a function\n' +
    '        ok 1 - is a function\n' +
    '          ---\n' +
    '          duration_ms: 0.453284\n' +
    '          ...\n' +
    '        # Subtest: returns true when custom token is defined\n' +
    '        ok 2 - returns true when custom token is defined\n' +
    '          ---\n' +
    '          duration_ms: 0.504699\n' +
    '          ...\n' +
    '        # Subtest: returns false when custom token is undefined\n' +
    '        ok 3 - returns false when custom token is undefined\n' +
    '          ---\n' +
    '          duration_ms: 0.166349\n' +
    '          ...\n' +
    '        # Subtest: returns true when GITHUB_TOKEN is defined\n' +
    '        ok 4 - returns true when GITHUB_TOKEN is defined\n' +
    '          ---\n' +
    '          duration_ms: 0.290882\n' +
    '          ...\n' +
    '        # Subtest: returns true and fallback:"GH_TOKEN" when GITHUB_TOKEN is undefined, but fallback GH_TOKEN is defined\n' +
    '        ok 5 - returns true and fallback:"GH_TOKEN" when GITHUB_TOKEN is undefined, but fallback GH_TOKEN is defined\n' +
    '          ---\n' +
    '          duration_ms: 0.202998\n' +
    '          ...\n' +
    '        # Subtest: returns false and fallback:"GH_TOKEN" when GITHUB_TOKEN and GH_TOKEN are undefined\n' +
    '        ok 6 - returns false and fallback:"GH_TOKEN" when GITHUB_TOKEN and GH_TOKEN are undefined\n' +
    '          ---\n' +
    '          duration_ms: 0.911116\n' +
    '          ...\n' +
    '        1..6\n' +
    '    ok 2 - isTokenDefined\n' +
    '      ---\n' +
    '      duration_ms: 3.058494\n' +
    "      type: 'suite'\n" +
    '      ...\n' +
    '    # Subtest: getGithubNugetRegistryPair\n' +
    '        # Subtest: getGitHubNugetRegistryPair is function\n' +
    '        ok 1 - getGitHubNugetRegistryPair is function\n' +
    '          ---\n' +
    '          duration_ms: 0.339873\n' +
    '          ...\n' +
    '        # Subtest: can return when classic or workflow GITHUB_TOKEN or GH_TOKEN is defined with write:packages.\n' +
    '        not ok 2 - can return when classic or workflow GITHUB_TOKEN or GH_TOKEN is defined with write:packages.\n' +
    '          ---\n' +
    '          duration_ms: 9.739429\n' +
    "          location: '/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:1:3360'\n" +
    "          failureType: 'testCodeFailure'\n" +
    '          error: |-\n' +
    '            Expected values to be strictly equal:\n' +
    '            + actual - expected\n' +
    '            \n' +
    '            + TypeError: The environment variable GITHUB_TOKEN is undefined!\n' +
    '            +     at tokenCanWritePackages (/home/runner/work/HCE.Shared/HCE.Shared/cjs/dotnet/dotnetGHPR.cjs:17:39)\n' +
    '            +     at TestContext.<anonymous> (/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:154:31)\n' +
    '            +     at Test.runInAsyncScope (node:async_hooks:206:9)\n' +
    '            +     at Test.run (node:internal/test_runner/test:824:25)\n' +
    '            +     at Suite.processPendingSubtests (node:internal/test_runner/test:533:18)\n' +
    '            +     at Test.postRun (node:internal/test_runner/test:923:19)\n' +
    '            +     at Test.run (node:internal/test_runner/test:866:12)\n' +
    '            +     at async Promise.all (index 0)\n' +
    '            +     at async Suite.run (node:internal/test_runner/test:1183:7)\n' +
    '            +     at async Suite.processPendingSubtests (node:internal/test_runner/test:533:7)\n' +
    '            - true\n' +
    "          code: 'ERR_ASSERTION'\n" +
    "          name: 'AssertionError'\n" +
    '          expected: true\n' +
    '          actual:\n' +
    "          error: 'The environment variable GITHUB_TOKEN is undefined!'\n" +
    "          name: 'TypeError'\n" +
    '          stack: |-\n' +
    '            tokenCanWritePackages (/home/runner/work/HCE.Shared/HCE.Shared/cjs/dotnet/dotnetGHPR.cjs:17:39)\n' +
    '            TestContext.<anonymous> (/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:154:31)\n' +
    '            Test.runInAsyncScope (node:async_hooks:206:9)\n' +
    '            Test.run (node:internal/test_runner/test:824:25)\n' +
    '            Suite.processPendingSubtests (node:internal/test_runner/test:533:18)\n' +
    '            Test.postRun (node:internal/test_runner/test:923:19)\n' +
    '            Test.run (node:internal/test_runner/test:866:12)\n' +
    '            async Promise.all (index 0)\n' +
    '            async Suite.run (node:internal/test_runner/test:1183:7)\n' +
    '            async Suite.processPendingSubtests (node:internal/test_runner/test:533:7)\n' +
    "          operator: 'strictEqual'\n" +
    '          stack: |-\n' +
    '            TestContext.<anonymous> (/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:161:5)\n' +
    '            async Test.run (node:internal/test_runner/test:825:9)\n' +
    '            async Suite.processPendingSubtests (node:internal/test_runner/test:533:7)\n' +
    '          ...\n' +
    '        # Subtest: mock insufficient token\n' +
    '        ok 3 - mock insufficient token # TODO\n' +
    '          ---\n' +
    '          duration_ms: 0.143618\n' +
    '          ...\n' +
    '        # Subtest: mock sufficient token\n' +
    '        ok 4 - mock sufficient token # TODO\n' +
    '          ---\n' +
    '          duration_ms: 0.141574\n' +
    '          ...\n' +
    '        # Subtest: mock custom url\n' +
    '        ok 5 - mock custom url # TODO\n' +
    '          ---\n' +
    '          duration_ms: 0.117739\n' +
    '          ...\n' +
    '        1..5\n' +
    '    not ok 3 - getGithubNugetRegistryPair\n' +
    '      ---\n' +
    '      duration_ms: 10.990448\n' +
    "      type: 'suite'\n" +
    "      location: '/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:1:2842'\n" +
    "      failureType: 'subtestsFailed'\n" +
    "      error: '1 subtest failed'\n" +
    "      code: 'ERR_TEST_FAILURE'\n" +
    '      ...\n' +
    '    1..3\n' +
    'not ok 3 - dotnetGHPR\n' +
    '  ---\n' +
    '  duration_ms: 17.527646\n' +
    "  type: 'suite'\n" +
    "  location: '/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:1:708'\n" +
    "  failureType: 'subtestsFailed'\n" +
    "  error: '1 subtest failed'\n" +
    "  code: 'ERR_TEST_FAILURE'\n" +
    '  ...\n' +
    '# Subtest: dotnetGLPR\n' +
    '    # Subtest: GitLabTokenEnvVar\n' +
    '    ok 1 - GitLabTokenEnvVar\n' +
    '      ---\n' +
    '      duration_ms: 0.423308\n' +
    "      type: 'suite'\n" +
    '      ...\n' +
    '    # Subtest: nugetGitLabUrlBase\n' +
    '    ok 2 - nugetGitLabUrlBase\n' +
    '      ---\n' +
    '      duration_ms: 0.209459\n' +
    "      type: 'suite'\n" +
    '      ...\n' +
    '    # Subtest: nugetGitLabUrl\n' +
    '    ok 3 - nugetGitLabUrl\n' +
    '      ---\n' +
    '      duration_ms: 0.120995\n' +
    "      type: 'suite'\n" +
    '      ...\n' +
    '    # Subtest: getGitlabNugetRegistryPair\n' +
    '        # Subtest: is a function\n' +
    '        ok 1 - is a function\n' +
    '          ---\n' +
    '          duration_ms: 0.713669\n' +
    '          ...\n' +
    '        # Subtest: sufficient token permissions\n' +
    '        ok 2 - sufficient token permissions # TODO\n' +
    '          ---\n' +
    '          duration_ms: 0.132396\n' +
    '          ...\n' +
    '        # Subtest: insufficient token permissions\n' +
    '        ok 3 - insufficient token permissions # TODO\n' +
    '          ---\n' +
    '          duration_ms: 0.180176\n' +
    '          ...\n' +
    '        # Subtest: custom url\n' +
    '        ok 4 - custom url # TODO\n' +
    '          ---\n' +
    '          duration_ms: 0.206825\n' +
    '          ...\n' +
    '        # Subtest: custom token\n' +
    '        ok 5 - custom token # TODO\n' +
    '          ---\n' +
    '          duration_ms: 0.141243\n' +
    '          ...\n' +
    '        1..5\n' +
    '    ok 4 - getGitlabNugetRegistryPair\n' +
    '      ---\n' +
    '      duration_ms: 2.31521\n' +
    "      type: 'suite'\n" +
    '      ...\n' +
    '    1..4\n' +
    'ok 4 - dotnetGLPR\n' +
    '  ---\n' +
    '  duration_ms: 4.671677\n' +
    "  type: 'suite'\n" +
    '  ...\n' +
    '# Subtest: dotnetHelpers\n' +
    '    # Subtest: configurePrepareCmd\n' +
    '    ok 1 - configurePrepareCmd # TODO\n' +
    '      ---\n' +
    '      duration_ms: 1.216906\n' +
    '      ...\n' +
    '    # Subtest: nugetDefault is as expected\n' +
    '    ok 2 - nugetDefault is as expected\n' +
    '      ---\n' +
    '      duration_ms: 0.707157\n' +
    '      ...\n' +
    '    # Subtest: configureDotnetNugetPush works\n' +
    '    ok 3 - configureDotnetNugetPush works # TODO pushToGitHub adds github defaults\n' +
    '      ---\n' +
    '      duration_ms: 0.152414\n' +
    '      ...\n' +
    '    1..3\n' +
    'ok 5 - dotnetHelpers\n' +
    '  ---\n' +
    '  duration_ms: 3.718673\n' +
    "  type: 'suite'\n" +
    '  ...\n' +
    '1..5\n' +
    '# tests 23\n' +
    '# suites 10\n' +
    '# pass 11\n' +
    '# fail 1\n' +
    '# cancelled 0\n' +
    '# skipped 0\n' +
    '# todo 11\n' +
    '# duration_ms 468.588179\n' +
    'husky - pre-commit script failed (code 1)',
  failed: true,
  timedOut: false,
  isCanceled: false,
  killed: false,
  pluginName: '@semantic-release/git'
}
Error: Command failed with exit code 1: git commit -m chore(release): 2.5.0 [skip ci]

## [2.5.0](https://github.com/halospv3/hce.shared/compare/v2.4.3...v2.5.0) (2024-06-04)

### Features

* overhaul dotnetGHPR; misc refactors ([8d0a1d6](https://github.com/halospv3/hce.shared/commit/8d0a1d657e7f4754881c9a130fd4aa8191fb3e81))

### Bug Fixes

* **deps:** update dependency conventional-changelog-conventionalcommits to v8 ([e1defcd](https://github.com/halospv3/hce.shared/commit/e1defcd94ba51eda7384c1ca87f33c9928610e20))
* **deps:** update semantic-release monorepo ([39fcf98](https://github.com/halospv3/hce.shared/commit/39fcf988fe55b894e269d64de1b48c7f8dfb950c))


> @halospv3/[email protected] check
> npm run type && npm run test && npm run lint


> @halospv3/[email protected] type
> tsc --build


> @halospv3/[email protected] pretest
> npm run build


> @halospv3/[email protected] build
> packemon build --addExports --addFiles --declaration --loadConfigs

[@halospv3/hce.shared-config:HCE] Entry module "src/semanticReleaseConfigDotnet.ts" is using named and default exports together. Consumers of your bundle will have to use `chunk.default` to access the default export, which may not be what you want. Use `output.exports: "named"` to disable this warning. (id=/home/runner/work/HCE.Shared/HCE.Shared/src/semanticReleaseConfigDotnet.ts)
@halospv3/hce.shared-config
  ◼ cjs (38.87 kB) ◼ dts 2.2s

> @halospv3/[email protected] test
> node --test --import tsx ./tests/**/*.test.ts

TAP version 13
...
# Subtest: dotnetGHPR
    # Subtest: getGithubNugetRegistryPair
        # Subtest: getGitHubNugetRegistryPair is function
        ok 1 - getGitHubNugetRegistryPair is function
          ---
          duration_ms: 0.339873
          ...
        # Subtest: can return when classic or workflow GITHUB_TOKEN or GH_TOKEN is defined with write:packages.
        not ok 2 - can return when classic or workflow GITHUB_TOKEN or GH_TOKEN is defined with write:packages.
          ---
          duration_ms: 9.739429
          location: '/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:1:3360'
          failureType: 'testCodeFailure'
          error: |-
            Expected values to be strictly equal:
            + actual - expected
            
            + TypeError: The environment variable GITHUB_TOKEN is undefined!
            +     at tokenCanWritePackages (/home/runner/work/HCE.Shared/HCE.Shared/cjs/dotnet/dotnetGHPR.cjs:17:39)
            +     at TestContext.<anonymous> (/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:154:31)
            +     at Test.runInAsyncScope (node:async_hooks:206:9)
            +     at Test.run (node:internal/test_runner/test:824:25)
            +     at Suite.processPendingSubtests (node:internal/test_runner/test:533:18)
            +     at Test.postRun (node:internal/test_runner/test:923:19)
            +     at Test.run (node:internal/test_runner/test:866:12)
            +     at async Promise.all (index 0)
            +     at async Suite.run (node:internal/test_runner/test:1183:7)
            +     at async Suite.processPendingSubtests (node:internal/test_runner/test:533:7)
            - true
          code: 'ERR_ASSERTION'
          name: 'AssertionError'
          expected: true
          actual:
          error: 'The environment variable GITHUB_TOKEN is undefined!'
          name: 'TypeError'
          stack: |-
            tokenCanWritePackages (/home/runner/work/HCE.Shared/HCE.Shared/cjs/dotnet/dotnetGHPR.cjs:17:39)
            TestContext.<anonymous> (/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:154:31)
            Test.runInAsyncScope (node:async_hooks:206:9)
            Test.run (node:internal/test_runner/test:824:25)
            Suite.processPendingSubtests (node:internal/test_runner/test:533:18)
            Test.postRun (node:internal/test_runner/test:923:19)
            Test.run (node:internal/test_runner/test:866:12)
            async Promise.all (index 0)
            async Suite.run (node:internal/test_runner/test:1183:7)
            async Suite.processPendingSubtests (node:internal/test_runner/test:533:7)
          operator: 'strictEqual'
          stack: |-
            TestContext.<anonymous> (/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:161:5)
            async Test.run (node:internal/test_runner/test:825:9)
            async Suite.processPendingSubtests (node:internal/test_runner/test:533:7)
          ...
        # Subtest: mock insufficient token
        ok 3 - mock insufficient token # TODO
          ---
          duration_ms: 0.143618
          ...
        # Subtest: mock sufficient token
        ok 4 - mock sufficient token # TODO
          ---
          duration_ms: 0.141574
          ...
        # Subtest: mock custom url
        ok 5 - mock custom url # TODO
          ---
          duration_ms: 0.117739
          ...
        1..5
    not ok 3 - getGithubNugetRegistryPair
      ---
      duration_ms: 10.990448
      type: 'suite'
      location: '/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:1:2842'
      failureType: 'subtestsFailed'
      error: '1 subtest failed'
      code: 'ERR_TEST_FAILURE'
      ...
    1..3
not ok 3 - dotnetGHPR
  ---
  duration_ms: 17.527646
  type: 'suite'
  location: '/home/runner/work/HCE.Shared/HCE.Shared/tests/dotnet/dotnetGHPR.test.ts:1:708'
  failureType: 'subtestsFailed'
  error: '1 subtest failed'
  code: 'ERR_TEST_FAILURE'
  ...
# Subtest: dotnetGLPR
    # Subtest: GitLabTokenEnvVar
    ok 1 - GitLabTokenEnvVar
      ---
      duration_ms: 0.423308
      type: 'suite'
      ...
    # Subtest: nugetGitLabUrlBase
    ok 2 - nugetGitLabUrlBase
      ---
      duration_ms: 0.209459
      type: 'suite'
      ...
    # Subtest: nugetGitLabUrl
    ok 3 - nugetGitLabUrl
      ---
      duration_ms: 0.120995
      type: 'suite'
      ...
    # Subtest: getGitlabNugetRegistryPair
        # Subtest: is a function
        ok 1 - is a function
          ---
          duration_ms: 0.713669
          ...
        # Subtest: sufficient token permissions
        ok 2 - sufficient token permissions # TODO
          ---
          duration_ms: 0.132396
          ...
        # Subtest: insufficient token permissions
        ok 3 - insufficient token permissions # TODO
          ---
          duration_ms: 0.180176
          ...
        # Subtest: custom url
        ok 4 - custom url # TODO
          ---
          duration_ms: 0.206825
          ...
        # Subtest: custom token
        ok 5 - custom token # TODO
          ---
          duration_ms: 0.141243
          ...
        1..5
    ok 4 - getGitlabNugetRegistryPair
      ---
      duration_ms: 2.31521
      type: 'suite'
      ...
    1..4
ok 4 - dotnetGLPR
  ---
  duration_ms: 4.671677
  type: 'suite'
  ...
# Subtest: dotnetHelpers
    # Subtest: configurePrepareCmd
    ok 1 - configurePrepareCmd # TODO
      ---
      duration_ms: 1.216906
      ...
    # Subtest: nugetDefault is as expected
    ok 2 - nugetDefault is as expected
      ---
      duration_ms: 0.707157
      ...
    # Subtest: configureDotnetNugetPush works
    ok 3 - configureDotnetNugetPush works # TODO pushToGitHub adds github defaults
      ---
      duration_ms: 0.152414
      ...
    1..3
ok 5 - dotnetHelpers
  ---
  duration_ms: 3.718673
  type: 'suite'
  ...
1..5
# tests 23
# suites 10
# pass 11
# fail 1
# cancelled 0
# skipped 0
# todo 11
# duration_ms 468.588179
husky - pre-commit script failed (code 1)

CVE-2015-9251 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: HCE.Shared/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: ca9e973093b9d6f1b6a3be3bfaaca82349bdb5e3

Found in base branch: main

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

[dotnet] `publish` filenames are different than expected

Expectation:
HXE 2.3.0-feat-AvanloniaUI.273 (net6.0).zip

Reality:

AvaloniaUI is lowercase
period is missing between AvaloniaUI and 273
extraneous space is added after the target framework

CVE-2021-43616 (High) detected in npm-7.24.2.tgz - autoclosed

CVE-2021-43616 - High Severity Vulnerability

Vulnerable Library - npm-7.24.2.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-7.24.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy:

npm-8.0.3.tgz (Root Library)
- ❌ npm-7.24.2.tgz (Vulnerable Library)

Found in HEAD commit: ca9e973093b9d6f1b6a3be3bfaaca82349bdb5e3

Found in base branch: main

Vulnerability Details

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.

Publish Date: 2021-11-13

URL: CVE-2021-43616

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43616

Release Date: 2021-11-13

Fix Resolution: npm - 8.1.4

Step up your Open Source Security Game with WhiteSource here

CVE-2024-4067 (High) detected in micromatch-4.0.5.tgz

CVE-2024-4067 - High Severity Vulnerability

Vulnerable Library - micromatch-4.0.5.tgz

Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.

Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

commit-analyzer-12.0.0.tgz (Root Library)
- ❌ micromatch-4.0.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Publish Date: 2024-05-14

URL: CVE-2024-4067

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-14

Fix Resolution: micromatch - 4.0.6

Step up your Open Source Security Game with Mend here

CVE-2022-21680 (High) detected in marked-2.1.3.tgz - autoclosed

CVE-2022-21680 - High Severity Vulnerability

Vulnerable Library - marked-2.1.3.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-2.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

semantic-release-18.0.1.tgz (Root Library)
- ❌ marked-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: c582aa25b59f324ce3d0e9df88ea24683f98cde0

Found in base branch: main

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21680

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rrrm-qjm4-v8hf

Release Date: 2022-01-14

Fix Resolution: marked - 4.0.10

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3807 (High) detected in multiple libraries - autoclosed

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-regex/package.json

Dependency Hierarchy:

mrm-3.0.10.tgz (Root Library)
- libnpx-10.2.4.tgz
  - yargs-14.2.3.tgz
    - cliui-5.0.0.tgz
      - strip-ansi-5.2.0.tgz
        
        ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/string-width/node_modules/ansi-regex/package.json,/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json

Dependency Hierarchy:

mrm-3.0.10.tgz (Root Library)
- libnpx-10.2.4.tgz
  - update-notifier-2.5.0.tgz
    - boxen-1.3.0.tgz
      - string-width-2.1.1.tgz
        
        strip-ansi-4.0.0.tgz
        
        ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex/package.json

Dependency Hierarchy:

npm-9.0.1.tgz (Root Library)
- npm-8.5.0.tgz
  - cli-table3-0.6.1.tgz
    - string-width-4.2.2.tgz
      - strip-ansi-6.0.0.tgz
        
        ❌ ansi-regex-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: ca9e973093b9d6f1b6a3be3bfaaca82349bdb5e3

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (mrm): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-3918 (High) detected in json-schema-0.2.3.tgz - autoclosed

CVE-2021-3918 - High Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/json-schema/package.json

Dependency Hierarchy:

npm-8.0.3.tgz (Root Library)
- npm-7.24.2.tgz
  - node-gyp-7.1.2.tgz
    - request-2.88.2.tgz
      - http-signature-1.2.0.tgz
        
        jsprim-1.4.1.tgz
        
        ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: ca9e973093b9d6f1b6a3be3bfaaca82349bdb5e3

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution: json-schema - 0.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: HCE.Shared/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: ca9e973093b9d6f1b6a3be3bfaaca82349bdb5e3

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with WhiteSource here

docs: check README.md for outdated instructions

Add sample/example projects

Basic scenarios: override of properties whose names are only in one plugin config. Or no configuration aside from what's inherited from this shareable config. "Static" YAML/JSON config.

Advanced scenarios: piecemeal and/or independent modification of plugins' settings. CJS config.

Pros And Cons Of Configuration File/Data Format

The dependent project can use any format for its own configuration as long as the format is supported by Semantics Release e.g. YAML, JSON, release object property in package.json, CJS.

"Static" configs (YAML, JSON) can be easier to learn to read and write, but overriding values provided by this shareable config will be limited in capability. As it stands, you cannot add to or modify the plugin array inherited by a static config. If you wish to override a property in a plugin's configuration, you can use add a custom property in the releaserc object. However, this new property will override the value of every plugin config property with the same name. The Git and GitHub plugins' configurations both have an assets property. A top-level assets property will override the assets for both plugins which is usually undesirable. One is for committing files and the other is for adding files to a GitHub Release.

"Dynamic" configs are limited to the old "CJS" JavaScript format¹. Despite this, JavaScript allows for far more flexibility...and far more complexity and human error. Transpiling a TypeScript source file allows for better IntelliSense and code validation, but increases project complexity for what was just a small and simple framework for automatic versioning, packaging, and releases.

¹ At the time of this writing, Semantic Release cannot load ESM (EcmaScript) shareable confgurations.

Multiple Ways To Consume This Library

NPM/Yarn (recommended)
Git SubModule (still requires NPM or Yarn with the local path to this package so Semantics Release can find it)
File-directory copy without version tracking e.g. downloading a commit or release package and copying it elsewhere (NOT recommended)

Notes

https://github.com/BinToss/GroupBox.Avalonia has a .releaserc.js containing a commented section of code. This snippet details how to add to or modify the plugins/plugins-confguration array without accidentally decimating existing items in the array. Adding another layer of complexity is the array's mixed item type. The array can contain both strings and pseudo-tuples (2-item arrays) representing key-value pairs of a plugin name and the plugin's configuration object. Lots of square brackets. Lots of curly braces. Lovely. Why not have a string[] property for plugin names to load and then one additional object property for each plugin's configuration object?

{
...
  "plugins": ["plugin1", "plugin2"],
  "plugin1": {
    "op": "merge",
    "config": {}
  },
  "plugin2": {
    "op": "override",
    "config": {}
  }
}

releaserc.plugins.map((plugin) => loadPluginConfigs(releaserc[plugin]))

Still limited in capability unless the T | {op,T} type architecture is supported by and used throughout each plugin...or a custom handler/loader plugin loaded first.

`tokenCanWritePackages` should authenticate via GPR's NuGet API and `dotnet nuget push` cli

Checking the response header from https://api.github.com/ for the token's permissions does not work for some tokens. GitHub may return code 401—HttpError: Bad credentials.

I don't know why and I can't be bothered to investigate it.

Pushing a dummy package or trying to delete a package that doesn't exist should be informative enough.
If it fails with 401 or the equivalent, then the token is invalid. Otherwise, the token is probably valid if the response indicates the operation is impossible (bad method?).

CVE-2012-6708 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: HCE.Shared/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: ca9e973093b9d6f1b6a3be3bfaaca82349bdb5e3

Found in base branch: main

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

Update NodeJS requirement to ^20.8.1

https://github.com/HaloSPV3/HCE.Shared/actions/runs/7564478608/job/20598646178#step:8:1

Semantic Release has updated their NodeJS requirement to ^20.8.1.

Update package.json to indicate the package requires NodeJS ^20.8.1
update GitHub workflows to use NodeJS ^20.8.1

This should be considered a breaking change.

CVE-2022-25883 (Medium) detected in multiple libraries - autoclosed

CVE-2022-25883 - Medium Severity Vulnerability

Vulnerable Libraries - semver-5.7.1.tgz, semver-7.5.1.tgz, semver-6.3.0.tgz

semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/read-pkg/node_modules/semver/package.json

Dependency Hierarchy:

commit-analyzer-10.0.1.tgz (Root Library)
- conventional-commits-parser-4.0.0.tgz
  - meow-8.1.2.tgz
    - read-pkg-up-7.0.1.tgz
      - read-pkg-5.2.0.tgz
        
        normalize-package-data-2.5.0.tgz
        
        ❌ semver-5.7.1.tgz (Vulnerable Library)

semver-7.5.1.tgz

Library home page: https://registry.npmjs.org/semver/-/semver-7.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/semver/package.json

Dependency Hierarchy:

npm-10.0.4.tgz (Root Library)
- npm-9.6.7.tgz
  - ❌ semver-7.5.1.tgz (Vulnerable Library)

semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@semantic-release/release-notes-generator/node_modules/semver/package.json

Dependency Hierarchy:

release-notes-generator-11.0.3.tgz (Root Library)
- conventional-changelog-writer-6.0.0.tgz
  - ❌ semver-6.3.0.tgz (Vulnerable Library)

Found in HEAD commit: da17a3d0c192af8f5324a31876f8410c10e40684

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-06-21

Fix Resolution: semver - 7.5.2

Step up your Open Source Security Game with Mend here

CVE-2022-0235 (Medium) detected in node-fetch-2.6.6.tgz - autoclosed

CVE-2022-0235 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.6.6.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

github-8.0.2.tgz (Root Library)
- rest-18.12.0.tgz
  - core-3.5.1.tgz
    - request-5.6.2.tgz
      - ❌ node-fetch-2.6.6.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Step up your Open Source Security Game with WhiteSource here

halospv3 / hce.shared Goto Github PK

hce.shared's People

Contributors

Stargazers

Watchers

hce.shared's Issues

CVE-2022-21681 - High Severity Vulnerability

CVE-2022-29244 - Medium Severity Vulnerability

CVE-2021-43307 - Medium Severity Vulnerability

Open

Detected dependencies

CVE-2024-4068 - High Severity Vulnerability

Problem 1

Problem 2

Proposal

Part 1: Object Type

Part 2: Implementation

CVE-2020-11022 - Medium Severity Vulnerability

CVE-2020-7656 - Medium Severity Vulnerability

CVE-2023-42282 - Critical Severity Vulnerability

CVE-2024-28863 - Medium Severity Vulnerability

CVE-2015-9251 - Medium Severity Vulnerability

CVE-2021-43616 - High Severity Vulnerability

CVE-2024-4067 - High Severity Vulnerability

CVE-2022-21680 - High Severity Vulnerability

CVE-2021-3807 - High Severity Vulnerability

CVE-2021-3918 - High Severity Vulnerability

CVE-2020-11023 - Medium Severity Vulnerability

Pros And Cons Of Configuration File/Data Format

Multiple Ways To Consume This Library

Notes

CVE-2012-6708 - Medium Severity Vulnerability

CVE-2022-25883 - Medium Severity Vulnerability

CVE-2022-0235 - Medium Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org