Security News
Supply Chain Attack Detected in Solana's web3.js Library
A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.
By Sarah Gooding - Dec 03, 2024
Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
github.com/skarlso/dependabot-bundler
- Version published
- Created
Dependabot bundler
Bundler will gather all PRs which were created by app/dependabot user. Then, it will apply go get -u using the
modules in the prs that it found. It will do that instead of using git magic to combine the prs to avoid the following
problems:
- merge conflicts
- dependencies getting out of sync ( something updating to x while the next downgrades it to y or vica-versa )
- dependency chain conflicts
Once all updates have been applied, it will create a single commit and a PR.
It doesn't attempt to merge PRs causing various merge conflicts. It will basically just do what dependabot would do but apply it separately as a composite update.
Bundler only ever commits go.mod and go.sum files. It never stages any other changes.
Example running every Friday:
name: Dependabot Bundler
on:
schedule:
- 0 0 * * 5 # every Friday at 00:00
jobs:
bundler:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Go
uses: actions/setup-go@v2
with:
go-version: 1.18.x
- name: Cache go-build and mod
uses: actions/cache@v2
with:
path: |
~/.cache/go-build/
~/go/pkg/mod/
key: go-${{ hashFiles('go.sum') }}
restore-keys: |
go-
- name: Install Dependabot Bundler
run: |
go install github.com/Skarlso/dependabot-bundler@v0.0.3
- name: Run Dependabot Bundler
run: |
dependabot-bundler --token ${{ secrets.GITHUB_TOKEN }} --repo test --owner Skarlso
If everything goes well, it should result in a PR like this:
This is an actual PR located here which was created with dependabot-bundler and merged.
Dependabot can apply labels to the created PR such as:
- name: Run Dependabot Bundler
run: |
dependabot-bundler --token ${{ secrets.GITHUB_TOKEN }} --repo test --owner Skarlso --labels bug,duplicate
Which will result in a PR like this:
Updating GitHub Actions
Dependabot Bundler is now able to bundle GitHub actions updates as well.
If there are PRs which update the version of GitHub actions, bundler will now take those updates as well and apply them to the created PR.
Use it as GitHub Action
Dependabot Bundler is now available as a GitHub Action. To use it, simple include it as follows:
- name: dependabot-bundler
uses: skarlso/dependabot-bundler@v0.0.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
repo: 'This repo'
owner: 'Me'
Commit signing
To sign a commit made by the bundler call it with the following parameters:
dependabot-bundler \
--token ${{ secrets.GITHUB_TOKEN }} \
--repo test \
--owner owner \
--signing-public-key "${{ secrets.GPG_SIGN }}" \
--signing-private-key "${{ secrets.GPG_SECRET_SIGN }}" \
--signing-key-passphrase "${{ secrets.GPG_KEY_PASSPHRASE }}" \
--signing-name <sign-name> \
--signing-email <sign-email> \
--author-name <author-name> \
--author-email <author-email>
FAQs
Unknown package
Package last updated on 07 Mar 2023
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
By Socket Research Team - Dec 02, 2024
Security News
Research
Typosquatting Cryptographic Libraries: Malicious npm Packages Threaten Crypto Developers with Keylogging and Wallet Theft
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
By Kirill Boychenko - Nov 27, 2024