Bump Newtonsoft.Json from 11.0.2 to 13.0.2 in /src/Runner.Common by dependabot[bot] · Pull Request #9 · smooth80/runner

dependabot · 2022-12-08T02:51:12Z

Bumps Newtonsoft.Json from 11.0.2 to 13.0.2.

Release notes

Sourced from Newtonsoft.Json's releases.

13.0.2

New feature - Add support for DateOnly and TimeOnly

New feature - Add UnixDateTimeConverter.AllowPreEpoch property

New feature - Add copy constructor to JsonSerializerSettings

New feature - Add JsonCloneSettings with property to disable copying annotations

Change - Add nullable annotation to JToken.ToObject(Type, JsonSerializer)

Change - Reduced allocations by reusing boxed values

Fix - Fixed MaxDepth when used with ToObject inside of a JsonConverter

Fix - Fixed deserializing mismatched JToken types in properties

Fix - Fixed merging enumerable content and validate content

Fix - Fixed using $type with arrays of more than two dimensions

Fix - Fixed rare race condition in name table when deserializing on device with ARM processors

Fix - Fixed deserializing via constructor with ignored base type properties

Fix - Fixed MaxDepth not being used with ISerializable deserialization

13.0.1

New feature - Add JsonSelectSettings with configuration for a regex timeout

Change - Remove portable assemblies from NuGet package

Change - JsonReader and JsonSerializer MaxDepth defaults to 64

Change - Change InvalidCastException to JsonSerializationException on mismatched JToken

Fix - Fixed throwing missing member error on ignored fields

Fix - Fixed various nullable annotations

Fix - Fixed annotations not being copied when tokens are cloned

Fix - Fixed naming strategy not being used when deserializing dictionary enum keys

Fix - Fixed serializing nullable struct dictionaries

Fix - Fixed JsonWriter.WriteToken to allow null with string token

Fix - Fixed missing error when deserializing JToken with a contract type mismatch

Fix - Fixed JTokenWriter when writing comment to an object

12.0.3

New feature - Added support for nullable reference types

New feature - Added KebabCaseNamingStrategy

Change - Package now uses embedded package icon

Fix - Fixed bug when merging JToken with itself

Fix - Fixed performance of calling ICustomTypeDescriptor.GetProperties

Fix - Fixed serializing Enumerable.Empty and empty arrays on .NET Core 3.0

Fix - Fixed deserializing some collection types with constructor

Fix - Fixed deserializing IImmutableSet to ImmutableHashSet instead of ImmutableSortedSet

Fix - Fixed deserializing IImmutableDictionary to ImmutableDictionary instead of ImmutableSortedDictionary

Fix - Fixed deserializing into constructors with more than 256 parameters

Fix - Fixed hang when deserializing JTokenReader with preceding comment

Fix - Fixed JSONPath scanning with nested indexer

Fix - Fixed deserializing incomplete JSON object to JObject

Fix - Fixed using StringEnumConverter with naming strategy and specified values

12.0.2

New feature - Added MissingMemberHandling to JsonObjectAttribute and JsonObjectContract

New feature - Added constructor to JTokenReader to specify initial path

New feature - Added JsonProperty.IsRequiredSpecified

New feature - Added JsonContract.InternalConverter

... (truncated)

Commits

4fba53a Remove prerelease for 13.0.2
b15df4b Add missing headers
789bfd3 Update to 13.0.2-beta3
b13717a Add JsonCloneSettings to disable copy annotations (#2757)
d0a328e Fix MaxDepth not being used with ISerializable deserialization (#2736)
aae9284 Update SDK
bd98970 Update to 13.0.2-beta2
4dc9af6 Add roll forward to global.json (#2726)
b8f4ef0 Fixing misspelling (#2698)
cb9eed9 Fix deserializing via constructor with ignored base type properties (#2711)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [Newtonsoft.Json](https://github.com/JamesNK/Newtonsoft.Json) from 11.0.2 to 13.0.2. - [Release notes](https://github.com/JamesNK/Newtonsoft.Json/releases) - [Commits](JamesNK/Newtonsoft.Json@11.0.2...13.0.2) --- updated-dependencies: - dependency-name: Newtonsoft.Json dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

guardrails · 2022-12-08T02:51:53Z

⚠️ We detected 36 security issues in this pull request:

Mode: paranoid | Total findings: 36 | Considered vulnerability: 36

Insecure Use of Regular Expressions (4)

Docs

Details

💡

Title: Regex DOS (ReDOS), Severity: Medium

runner/src/Misc/layoutbin/hashFiles/index.js

Line 579 in 73c369d

tail = tail.replace(/((?:\\{2}){0,64})(\\?)\|/g, function (_, $1, $2) {

💡

Title: Regex DOS (ReDOS), Severity: Medium

runner/src/Misc/layoutbin/hashFiles/index.js

Line 1345 in 73c369d

var isNumericSequence = /^-?\d+\.\.-?\d+(?:\.\.-?\d+)?$/.test(m.body);

💡

Title: Regex DOS (ReDOS), Severity: Medium

runner/src/Misc/layoutbin/hashFiles/index.js

Line 1346 in 73c369d

var isAlphaSequence = /^[a-zA-Z]\.\.[a-zA-Z](?:\.\.-?\d+)?$/.test(m.body);

💡

Title: Regex DOS (ReDOS), Severity: Medium

runner/src/Misc/layoutbin/hashFiles/index.js

Line 2471 in 73c369d

if (IS_WINDOWS && /^\\\\[^\\]+(\\[^\\]+)?$/.test(p)) {

More info on how to fix Insecure Use of Regular Expressions in JavaScript.

Insecure Network Communication (1)

Docs

Details

💡

Title: SSL Certificate verification is disabled, Severity: High

runner/src/Misc/layoutbin/checkScripts/downloadCert.js

Line 13 in 73c369d

process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0'

More info on how to fix Insecure Network Communication in JavaScript.

Vulnerable Libraries (16)

Severity	Details
Medium	glob-parent@5.1.1 (t) upgrade to: >=5.1.2
Medium	hosted-git-info@2.8.8 (t) upgrade to: >=2.8.9 \|\| >=3.0.8
High	lodash@4.17.19 (t) upgrade to: >=4.17.21
Low	node-fetch@2.1.2 (t) upgrade to: >2.6.0 \|\| >3.0.0-beta.8
Medium	pkg:npm/cross-fetch@2.2.2@2.2.2 (t) upgrade to: 3.1.5,2.2.6
High	pkg:npm/path-parse@1.0.6@1.0.6 (t) - no patch available
High	pkg:npm/typescript@3.7.2@3.7.2 (t) - no patch available
High	pkg:npm/glob-parent@5.1.1@5.1.1 (t) upgrade to: 5.1.2
High	pkg:npm/minimatch@3.0.4@3.0.4 (t) upgrade to: 3.0.5
High	pkg:npm/ansi-regex@5.0.0@5.0.0 (t) upgrade to: 6.0.1,5.0.1,4.1.1,3.0.1
Critical	pkg:npm/lodash@4.17.19@4.17.19 (t) - no patch available
Critical	pkg:npm/minimist@1.2.5@1.2.5 (t) upgrade to: 1.2.6
High	pkg:npm/hosted-git-info@2.8.8@2.8.8 (t) - no patch available
Medium	pkg:npm/ajv@6.12.0@6.12.0 (t) upgrade to: 6.12.3
Medium	pkg:npm/node-fetch@2.1.2@2.1.2 (t) - no patch available
Medium	pkg:npm/%40actions/core@1.2.6@1.2.6 (t) upgrade to: 1.9.1

More info on how to fix Vulnerable Libraries in JavaScript.

Hard-Coded Secrets (15)

Docs

Details

💡