New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details → →
@changesets/ghcommit
Advanced tools
@changesets/ghcommit - npm Package Compare versions
| import { | ||
| commitFilesFromBuffers | ||
| } from "./chunk-ZMHONBF6.mjs"; | ||
| // src/git.ts | ||
| import { promises as fs } from "fs"; | ||
| import git from "isomorphic-git"; | ||
| import { relative, resolve } from "path"; | ||
| var FILE_MODES = { | ||
| directory: 16384, | ||
| file: 33188, | ||
| executableFile: 33261, | ||
| symlink: 40960 | ||
| }; | ||
| var commitChangesFromRepo = async ({ | ||
| base, | ||
| cwd: workingDirectory, | ||
| recursivelyFindRoot = true, | ||
| filterFiles, | ||
| log, | ||
| ...otherArgs | ||
| }) => { | ||
| const ref = base?.commit ?? "HEAD"; | ||
| const cwd = resolve(workingDirectory); | ||
| const repoRoot = recursivelyFindRoot ? await git.findRoot({ fs, filepath: cwd }) : cwd; | ||
| const gitLog = await git.log({ | ||
| fs, | ||
| dir: repoRoot, | ||
| ref, | ||
| depth: 1 | ||
| }); | ||
| const oid = gitLog[0]?.oid; | ||
| if (!oid) { | ||
| throw new Error(`Could not determine oid for ${ref}`); | ||
| } | ||
| const relativeStartDirectory = cwd === repoRoot ? null : relative(repoRoot, cwd) + "/"; | ||
| const trees = [git.TREE({ ref: oid }), git.WORKDIR()]; | ||
| const additions = []; | ||
| const deletions = []; | ||
| const fileChanges = { | ||
| additions, | ||
| deletions | ||
| }; | ||
| await git.walk({ | ||
| fs, | ||
| dir: repoRoot, | ||
| trees, | ||
| map: async (filepath, [commit, workdir]) => { | ||
| if (await git.isIgnored({ | ||
| fs, | ||
| dir: repoRoot, | ||
| filepath | ||
| })) { | ||
| return null; | ||
| } | ||
| const prevOid = await commit?.oid(); | ||
| const currentOid = await workdir?.oid(); | ||
| if (prevOid === currentOid && !commit === !workdir) { | ||
| return null; | ||
| } | ||
| if (await commit?.mode() === FILE_MODES.symlink || await workdir?.mode() === FILE_MODES.symlink) { | ||
| throw new Error( | ||
| `Unexpected symlink at ${filepath}, GitHub API only supports files and directories. You may need to add this file to .gitignore` | ||
| ); | ||
| } | ||
| if (await workdir?.mode() === FILE_MODES.executableFile) { | ||
| throw new Error( | ||
| `Unexpected executable file at ${filepath}, GitHub API only supports non-executable files and directories. You may need to add this file to .gitignore` | ||
| ); | ||
| } | ||
| if (await commit?.type() === "tree" || await workdir?.type() === "tree") { | ||
| return true; | ||
| } | ||
| if (relativeStartDirectory && !filepath.startsWith(relativeStartDirectory)) { | ||
| return null; | ||
| } | ||
| if (filterFiles && !filterFiles(filepath)) { | ||
| return null; | ||
| } | ||
| if (!workdir) { | ||
| deletions.push(filepath); | ||
| return null; | ||
| } else { | ||
| const arr = await workdir.content(); | ||
| if (!arr) { | ||
| throw new Error(`Could not determine content of file ${filepath}`); | ||
| } | ||
| additions.push({ | ||
| path: filepath, | ||
| contents: Buffer.from(arr) | ||
| }); | ||
| } | ||
| return true; | ||
| } | ||
| }); | ||
| return commitFilesFromBuffers({ | ||
| ...otherArgs, | ||
| fileChanges, | ||
| log, | ||
| base: { | ||
| commit: oid | ||
| } | ||
| }); | ||
| }; | ||
| export { | ||
| commitChangesFromRepo | ||
| }; |
+5
-5
@@ -315,2 +315,7 @@ "use strict"; | ||
| } | ||
| const prevOid = await commit?.oid(); | ||
| const currentOid = await workdir?.oid(); | ||
| if (prevOid === currentOid && !commit === !workdir) { | ||
| return null; | ||
| } | ||
| if (await commit?.mode() === FILE_MODES.symlink || await workdir?.mode() === FILE_MODES.symlink) { | ||
@@ -326,7 +331,2 @@ throw new Error( | ||
| } | ||
| const prevOid = await commit?.oid(); | ||
| const currentOid = await workdir?.oid(); | ||
| if (prevOid === currentOid && !commit === !workdir) { | ||
| return null; | ||
| } | ||
| if (await commit?.type() === "tree" || await workdir?.type() === "tree") { | ||
@@ -333,0 +333,0 @@ return true; |
+1
-1
| import { | ||
| commitChangesFromRepo | ||
| } from "./chunk-OZT6S72A.mjs"; | ||
| } from "./chunk-EGYIMNRV.mjs"; | ||
| import "./chunk-ZMHONBF6.mjs"; | ||
@@ -5,0 +5,0 @@ import "./chunk-K42BAWCN.mjs"; |
+5
-5
@@ -373,2 +373,7 @@ "use strict"; | ||
| } | ||
| const prevOid = await commit?.oid(); | ||
| const currentOid = await workdir?.oid(); | ||
| if (prevOid === currentOid && !commit === !workdir) { | ||
| return null; | ||
| } | ||
| if (await commit?.mode() === FILE_MODES.symlink || await workdir?.mode() === FILE_MODES.symlink) { | ||
@@ -384,7 +389,2 @@ throw new Error( | ||
| } | ||
| const prevOid = await commit?.oid(); | ||
| const currentOid = await workdir?.oid(); | ||
| if (prevOid === currentOid && !commit === !workdir) { | ||
| return null; | ||
| } | ||
| if (await commit?.type() === "tree" || await workdir?.type() === "tree") { | ||
@@ -391,0 +391,0 @@ return true; |
+1
-1
@@ -6,3 +6,3 @@ import { | ||
| commitChangesFromRepo | ||
| } from "./chunk-OZT6S72A.mjs"; | ||
| } from "./chunk-EGYIMNRV.mjs"; | ||
| import "./chunk-ZMHONBF6.mjs"; | ||
@@ -9,0 +9,0 @@ import { |
+3
-2
| { | ||
| "name": "@changesets/ghcommit", | ||
| "version": "2.0.0", | ||
| "version": "2.0.1", | ||
| "description": "Directly change files on github using the github API, to support GPG signing", | ||
@@ -84,4 +84,5 @@ "keywords": [ | ||
| "dependencies": { | ||
| "isomorphic-git": "^1.27.1" | ||
| "isomorphic-git": "^1.36.3" | ||
| }, | ||
| "prettier": {}, | ||
| "scripts": { | ||
@@ -88,0 +89,0 @@ "build": "rm -rf dist && pnpm codegen:github && tsc --noEmit && tsup", |
| import { | ||
| commitFilesFromBuffers | ||
| } from "./chunk-ZMHONBF6.mjs"; | ||
| // src/git.ts | ||
| import { promises as fs } from "fs"; | ||
| import git from "isomorphic-git"; | ||
| import { relative, resolve } from "path"; | ||
| var FILE_MODES = { | ||
| directory: 16384, | ||
| file: 33188, | ||
| executableFile: 33261, | ||
| symlink: 40960 | ||
| }; | ||
| var commitChangesFromRepo = async ({ | ||
| base, | ||
| cwd: workingDirectory, | ||
| recursivelyFindRoot = true, | ||
| filterFiles, | ||
| log, | ||
| ...otherArgs | ||
| }) => { | ||
| const ref = base?.commit ?? "HEAD"; | ||
| const cwd = resolve(workingDirectory); | ||
| const repoRoot = recursivelyFindRoot ? await git.findRoot({ fs, filepath: cwd }) : cwd; | ||
| const gitLog = await git.log({ | ||
| fs, | ||
| dir: repoRoot, | ||
| ref, | ||
| depth: 1 | ||
| }); | ||
| const oid = gitLog[0]?.oid; | ||
| if (!oid) { | ||
| throw new Error(`Could not determine oid for ${ref}`); | ||
| } | ||
| const relativeStartDirectory = cwd === repoRoot ? null : relative(repoRoot, cwd) + "/"; | ||
| const trees = [git.TREE({ ref: oid }), git.WORKDIR()]; | ||
| const additions = []; | ||
| const deletions = []; | ||
| const fileChanges = { | ||
| additions, | ||
| deletions | ||
| }; | ||
| await git.walk({ | ||
| fs, | ||
| dir: repoRoot, | ||
| trees, | ||
| map: async (filepath, [commit, workdir]) => { | ||
| if (await git.isIgnored({ | ||
| fs, | ||
| dir: repoRoot, | ||
| filepath | ||
| })) { | ||
| return null; | ||
| } | ||
| if (await commit?.mode() === FILE_MODES.symlink || await workdir?.mode() === FILE_MODES.symlink) { | ||
| throw new Error( | ||
| `Unexpected symlink at ${filepath}, GitHub API only supports files and directories. You may need to add this file to .gitignore` | ||
| ); | ||
| } | ||
| if (await workdir?.mode() === FILE_MODES.executableFile) { | ||
| throw new Error( | ||
| `Unexpected executable file at ${filepath}, GitHub API only supports non-executable files and directories. You may need to add this file to .gitignore` | ||
| ); | ||
| } | ||
| const prevOid = await commit?.oid(); | ||
| const currentOid = await workdir?.oid(); | ||
| if (prevOid === currentOid && !commit === !workdir) { | ||
| return null; | ||
| } | ||
| if (await commit?.type() === "tree" || await workdir?.type() === "tree") { | ||
| return true; | ||
| } | ||
| if (relativeStartDirectory && !filepath.startsWith(relativeStartDirectory)) { | ||
| return null; | ||
| } | ||
| if (filterFiles && !filterFiles(filepath)) { | ||
| return null; | ||
| } | ||
| if (!workdir) { | ||
| deletions.push(filepath); | ||
| return null; | ||
| } else { | ||
| const arr = await workdir.content(); | ||
| if (!arr) { | ||
| throw new Error(`Could not determine content of file ${filepath}`); | ||
| } | ||
| additions.push({ | ||
| path: filepath, | ||
| contents: Buffer.from(arr) | ||
| }); | ||
| } | ||
| return true; | ||
| } | ||
| }); | ||
| return commitFilesFromBuffers({ | ||
| ...otherArgs, | ||
| fileChanges, | ||
| log, | ||
| base: { | ||
| commit: oid | ||
| } | ||
| }); | ||
| }; | ||
| export { | ||
| commitChangesFromRepo | ||
| }; |
New alerts
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Fixed alerts
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
107542
0.02%Dependency changes
Updated
isomorphic-git@^1.36.3