fix(is-ignored): introduce security validation for custom ignore functions#4258
Merged
escapedcat merged 1 commit intoconventional-changelog:masterfrom Feb 2, 2025
Merged
Conversation
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. |
Member
|
Thanks @edodusi ! |
4 tasks
7 tasks
escapedcat
added a commit
that referenced
this pull request
Mar 7, 2025
This was referenced Aug 22, 2025
immxmmi
pushed a commit
to immxmmi/gitea-helm-actions
that referenced
this pull request
Apr 20, 2026
This PR contains the following updates: | Package | Type | Update | Change | Age | Confidence | |---|---|---|---|---|---| | [alpine/helm](https://github.com/alpine-docker/helm) ([changelog](https://github.com/helm/helm)) | | minor | `3.17.1` -> `3.19.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [alpine/helm](https://github.com/alpine-docker/helm) ([changelog](https://github.com/helm/helm)) | container | minor | `3.17.1` -> `3.19.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [commitlint/commitlint](https://github.com/conventional-changelog/commitlint) | container | minor | `19.7.1` -> `19.9.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [markdownlint-cli](https://github.com/igorshubovych/markdownlint-cli) | devDependencies | minor | [`^0.44.0` -> `^0.45.0`](https://renovatebot.com/diffs/npm/markdownlint-cli/0.44.0/0.45.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>conventional-changelog/commitlint (commitlint/commitlint)</summary> ### [`v19.9.1`](https://github.com/conventional-changelog/commitlint/blob/HEAD/CHANGELOG.md#1991-2025-08-29) [Compare Source](conventional-changelog/commitlint@v19.9.0...v19.9.1) ##### Bug Fixes - add TypeScript support and configuration for pnpm scopes ([#​4544](conventional-changelog/commitlint#4544)) ([ea75778](conventional-changelog/commitlint@ea75778)) ### [`v19.9.0`](https://github.com/conventional-changelog/commitlint/blob/HEAD/CHANGELOG.md#1990-2025-08-26) [Compare Source](conventional-changelog/commitlint@v19.8.1...v19.9.0) ##### Bug Fixes - update dependency jest-environment-node to v30 ([#​4448](conventional-changelog/commitlint#4448)) ([42ca849](conventional-changelog/commitlint@42ca849)) - update dependency jest-environment-node to v30.0.2 ([#​4469](conventional-changelog/commitlint#4469)) ([4da7e43](conventional-changelog/commitlint@4da7e43)) - update dependency tar-fs to v3.0.10 ([#​4461](conventional-changelog/commitlint#4461)) ([f02c47c](conventional-changelog/commitlint@f02c47c)) - update dependency tar-fs to v3.0.9 ([#​4421](conventional-changelog/commitlint#4421)) ([0650e03](conventional-changelog/commitlint@0650e03)) - update dependency tar-fs to v3.1.0 ([#​4496](conventional-changelog/commitlint#4496)) ([31b4f72](conventional-changelog/commitlint@31b4f72)) ##### Features - **config-pnpm-scopes:** migrate package to TypeScript ([#​4541](conventional-changelog/commitlint#4541)) ([6ae36ea](conventional-changelog/commitlint@6ae36ea)) ##### Reverts - Revert "chore: update dependency cross-env to v10 ([#​4528](conventional-changelog/commitlint#4528))" ([#​4529](conventional-changelog/commitlint#4529)) ([b5bfd12](conventional-changelog/commitlint@b5bfd12)), closes [#​4528](conventional-changelog/commitlint#4528) [#​4529](conventional-changelog/commitlint#4529) #### [19.8.1](conventional-changelog/commitlint@v19.8.0...v19.8.1) (2025-05-08) ##### Bug Fixes - update dependency tinyexec to v1 ([#​4332](conventional-changelog/commitlint#4332)) ([e49449f](conventional-changelog/commitlint@e49449f)) - update dependency tinyexec to v1.0.1 ([#​4347](conventional-changelog/commitlint#4347)) ([c1b26d1](conventional-changelog/commitlint@c1b26d1)) ##### Performance Improvements - **rules:** optimize header-trim ([#​4363](conventional-changelog/commitlint#4363)) ([b7e404b](conventional-changelog/commitlint@b7e404b)) ### [`v19.8.1`](https://github.com/conventional-changelog/commitlint/blob/HEAD/CHANGELOG.md#1981-2025-05-08) [Compare Source](conventional-changelog/commitlint@v19.8.0...v19.8.1) ##### Bug Fixes - update dependency tinyexec to v1 ([#​4332](conventional-changelog/commitlint#4332)) ([e49449f](conventional-changelog/commitlint@e49449f)) - update dependency tinyexec to v1.0.1 ([#​4347](conventional-changelog/commitlint#4347)) ([c1b26d1](conventional-changelog/commitlint@c1b26d1)) ##### Performance Improvements - **rules:** optimize header-trim ([#​4363](conventional-changelog/commitlint#4363)) ([b7e404b](conventional-changelog/commitlint@b7e404b)) ### [`v19.8.0`](https://github.com/conventional-changelog/commitlint/blob/HEAD/CHANGELOG.md#1980-2025-03-07) [Compare Source](conventional-changelog/commitlint@v19.7.1...v19.8.0) ##### Bug Fixes - **config-lerna-scopes:** remove deprecated [@​lerna/project](https://github.com/lerna/project) dependency ([#​4284](conventional-changelog/commitlint#4284)) ([f2f78f1](conventional-changelog/commitlint@f2f78f1)) - update dependency semver to v7.7.1 ([#​4272](conventional-changelog/commitlint#4272)) ([6148587](conventional-changelog/commitlint@6148587)) ##### Features - **config-workspace-scopes:** add config preset for npm and yarn workspaces ([#​4269](conventional-changelog/commitlint#4269)) ([67ff9e8](conventional-changelog/commitlint@67ff9e8)) ##### Performance Improvements - use `node:` prefix to bypass require.cache call for builtins ([#​4302](conventional-changelog/commitlint#4302)) ([0cd8f41](conventional-changelog/commitlint@0cd8f41)) ##### Reverts - Revert "fix: improve security validation regex in is-ignored function ([#​4258](conventional-changelog/commitlint#4258))" ([#​4314](conventional-changelog/commitlint#4314)) ([b27024a](conventional-changelog/commitlint@b27024a)), closes [#​4258](conventional-changelog/commitlint#4258) [#​4314](conventional-changelog/commitlint#4314) #### [19.7.1](conventional-changelog/commitlint@v19.7.0...v19.7.1) (2025-02-02) ##### Bug Fixes - **config-nx-scopes:** fix for projects without explicit targets ([#​4261](conventional-changelog/commitlint#4261)) ([25bb2cd](conventional-changelog/commitlint@25bb2cd)) - improve security validation regex in is-ignored function ([#​4258](conventional-changelog/commitlint#4258)) ([7403d63](conventional-changelog/commitlint@7403d63)) - update dependency fast-glob to v3.3.3 ([#​4235](conventional-changelog/commitlint#4235)) ([c286237](conventional-changelog/commitlint@c286237)) - update dependency fs-extra to v11.3.0 ([#​4249](conventional-changelog/commitlint#4249)) ([39acfe4](conventional-changelog/commitlint@39acfe4)) - update dependency tar-fs to v3.0.7 ([#​4243](conventional-changelog/commitlint#4243)) ([708320f](conventional-changelog/commitlint@708320f)) - update dependency tar-fs to v3.0.8 ([#​4247](conventional-changelog/commitlint#4247)) ([ecb5d3a](conventional-changelog/commitlint@ecb5d3a)) </details> <details> <summary>igorshubovych/markdownlint-cli (markdownlint-cli)</summary> ### [`v0.45.0`](https://github.com/igorshubovych/markdownlint-cli/releases/tag/v0.45.0) [Compare Source](igorshubovych/markdownlint-cli@v0.44.0...v0.45.0) - Update `markdownlint` dependency to `0.38.0` - Add `MD059`/`descriptive-link-text` - Improve `MD025`/`MD027`/`MD036`/`MD038`/`MD041`/`MD043`/`MD045`/`MD051`/`MD052` - Remove support for end-of-life Node version 18 - Update all dependencies via `Dependabot` </details> --- ### Configuration 📅 **Schedule**: Branch creation - Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xOC4xIiwidXBkYXRlZEluVmVyIjoiNDEuMTguMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsia2luZC9kZXBlbmRlbmN5Il19--> Reviewed-on: https://gitea.com/gitea/helm-actions/pulls/64 Reviewed-by: DaanSelen <daanselen@noreply.gitea.com> Co-authored-by: Renovate Bot <renovate-bot@gitea.com> Co-committed-by: Renovate Bot <renovate-bot@gitea.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR improves security validation in the
@commitlint/is-ignoredpackage by introducing a regex pattern to catch potentially malicious function calls.Motivation and Context
The current security validation in
is-ignoredonly performs type validation on the Matcher, this PR adds a more strict check and throws if the function does not returns a Boolean, plus it checks for potentially dangerous side effects (e.g.,fetch("url")) that could potentially allow malicious code to be executed through custom ignore functions.Usage examples
How Has This Been Tested?
Types of changes
Checklist: