diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index a8f5be4a..6633406b 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -32,7 +32,7 @@ jobs: run: npm run bootstrap - name: audit tools (without allow-list) - run: npm audit --audit-level=moderate + run: npm audit --audit-level=moderate --omit dev - name: audit packages run: npm run audit-all diff --git a/packages/attest/RELEASES.md b/packages/attest/RELEASES.md index 9b68907f..4e85ca38 100644 --- a/packages/attest/RELEASES.md +++ b/packages/attest/RELEASES.md @@ -1,36 +1,40 @@ # @actions/attest Releases +### 1.4.1 + +- Bump @actions/http-client from 2.2.1 to 2.2.3 [#1805](https://github.com/actions/toolkit/pull/1805) + ### 1.4.0 -- Add new `headers` parameter to the `attest` and `attestProvenance` functions. -- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context. +- Add new `headers` parameter to the `attest` and `attestProvenance` functions [#1790](https://github.com/actions/toolkit/pull/1790) +- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context [#1796](https://github.com/actions/toolkit/pull/1796) ### 1.3.1 -- Fix bug with proxy support when retrieving JWKS for OIDC issuer +- Fix bug with proxy support when retrieving JWKS for OIDC issuer [#1776](https://github.com/actions/toolkit/pull/1776) ### 1.3.0 -- Dynamic construction of Sigstore API URLs -- Switch to new GH provenance build type -- Fetch existing Rekor entry on 409 conflict error -- Bump @sigstore/bundle from 2.3.0 to 2.3.2 -- Bump @sigstore/sign from 2.3.0 to 2.3.2 +- Dynamic construction of Sigstore API URLs [#1735](https://github.com/actions/toolkit/pull/1735) +- Switch to new GH provenance build type [#1745](https://github.com/actions/toolkit/pull/1745) +- Fetch existing Rekor entry on 409 conflict error [#1759](https://github.com/actions/toolkit/pull/1759) +- Bump @sigstore/bundle from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738) +- Bump @sigstore/sign from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738) ### 1.2.1 -- Retry request on attestation persistence failure +- Retry request on attestation persistence failure [#1725](https://github.com/actions/toolkit/pull/1725) ### 1.2.0 -- Generate attestations using the v0.3 Sigstore bundle format. -- Bump @sigstore/bundle from 2.2.0 to 2.3.0. -- Bump @sigstore/sign from 2.2.3 to 2.3.0. -- Remove dependency on make-fetch-happen +- Generate attestations using the v0.3 Sigstore bundle format [#1701](https://github.com/actions/toolkit/pull/1701) +- Bump @sigstore/bundle from 2.2.0 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701) +- Bump @sigstore/sign from 2.2.3 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701) +- Remove dependency on make-fetch-happen [#1714](https://github.com/actions/toolkit/pull/1714) ### 1.1.0 -- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement. +- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement [#1693](https://github.com/actions/toolkit/pull/1693) ### 1.0.0 diff --git a/packages/attest/package-lock.json b/packages/attest/package-lock.json index e7fafa40..17b72849 100644 --- a/packages/attest/package-lock.json +++ b/packages/attest/package-lock.json @@ -1,17 +1,17 @@ { "name": "@actions/attest", - "version": "1.4.0", + "version": "1.4.1", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "@actions/attest", - "version": "1.4.0", + "version": "1.4.1", "license": "MIT", "dependencies": { "@actions/core": "^1.10.1", "@actions/github": "^6.0.0", - "@actions/http-client": "^2.2.1", + "@actions/http-client": "^2.2.3", "@octokit/plugin-retry": "^6.0.1", "@sigstore/bundle": "^2.3.2", "@sigstore/sign": "^2.3.2", @@ -46,9 +46,9 @@ } }, "node_modules/@actions/http-client": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.1.tgz", - "integrity": "sha512-KhC/cZsq7f8I4LfZSJKgCvEwfkE8o1538VoBeoGzokVLLnbFDEAdFD3UhoMklxo2un9NJVBdANOresx7vTHlHw==", + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz", + "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==", "dependencies": { "tunnel": "^0.0.6", "undici": "^5.25.4" @@ -1767,9 +1767,9 @@ } }, "@actions/http-client": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.1.tgz", - "integrity": "sha512-KhC/cZsq7f8I4LfZSJKgCvEwfkE8o1538VoBeoGzokVLLnbFDEAdFD3UhoMklxo2un9NJVBdANOresx7vTHlHw==", + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz", + "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==", "requires": { "tunnel": "^0.0.6", "undici": "^5.25.4" diff --git a/packages/attest/package.json b/packages/attest/package.json index d9c6b878..224e948a 100644 --- a/packages/attest/package.json +++ b/packages/attest/package.json @@ -1,6 +1,6 @@ { "name": "@actions/attest", - "version": "1.4.0", + "version": "1.4.1", "description": "Actions attestation lib", "keywords": [ "github", @@ -44,7 +44,7 @@ "dependencies": { "@actions/core": "^1.10.1", "@actions/github": "^6.0.0", - "@actions/http-client": "^2.2.1", + "@actions/http-client": "^2.2.3", "@octokit/plugin-retry": "^6.0.1", "@sigstore/bundle": "^2.3.2", "@sigstore/sign": "^2.3.2", diff --git a/packages/http-client/RELEASES.md b/packages/http-client/RELEASES.md index 02a933b6..6d9ccf5d 100644 --- a/packages/http-client/RELEASES.md +++ b/packages/http-client/RELEASES.md @@ -1,5 +1,8 @@ ## Releases +## 2.2.3 +- Fixed an issue where proxy username and password were not handled correctly [#1799](https://github.com/actions/toolkit/pull/1799) + ## 2.2.2 - Better handling of url encoded usernames and passwords in proxy config [#1782](https://github.com/actions/toolkit/pull/1782) diff --git a/packages/http-client/package-lock.json b/packages/http-client/package-lock.json index e58eb440..823b38b7 100644 --- a/packages/http-client/package-lock.json +++ b/packages/http-client/package-lock.json @@ -1,6 +1,6 @@ { "name": "@actions/http-client", - "version": "2.2.2", + "version": "2.2.3", "lockfileVersion": 2, "requires": true, "packages": { diff --git a/packages/http-client/package.json b/packages/http-client/package.json index df29f961..3960a83a 100644 --- a/packages/http-client/package.json +++ b/packages/http-client/package.json @@ -1,6 +1,6 @@ { "name": "@actions/http-client", - "version": "2.2.2", + "version": "2.2.3", "description": "Actions Http Client", "keywords": [ "github", diff --git a/packages/http-client/src/index.ts b/packages/http-client/src/index.ts index 6f575f7d..6ee9ae43 100644 --- a/packages/http-client/src/index.ts +++ b/packages/http-client/src/index.ts @@ -726,7 +726,9 @@ export class HttpClient { uri: proxyUrl.href, pipelining: !this._keepAlive ? 0 : 1, ...((proxyUrl.username || proxyUrl.password) && { - token: `${proxyUrl.username}:${proxyUrl.password}` + token: `Basic ${Buffer.from( + `${proxyUrl.username}:${proxyUrl.password}` + ).toString('base64')}` }) }) this._proxyAgentDispatcher = proxyAgent