Commit Graph

21 Commits

Author SHA1 Message Date
Daniel Lockyer
93e4b2eafd 🔒 Fixed remote command injection when using sendmail email transport
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-wfrj-qqc2-83cm
refs https://github.com/advisories/GHSA-48ww-j4fc-435p

- a vulnerability in `nodemailer` means that the `sendmail` transport is
  vulnerable to command injection for flags passed to the `sendmail`
  binary
- updating to the latest version of Nodemailer required creating
  `@tryghost/nodemailer`, which is a wrapper around Nodemailer and
  several plugins that used to be in the core
- this commit switches to using that package, and fixes up some small
  code + test changes
2021-09-17 16:46:51 +01:00
Daniel Lockyer
10fa1283ca Updated ghost-storage-base to v0.0.6
no issue

- this package has been bumped to support Node 12 + 14
- AFAICT I added it to the Renovate list back when we had some timezone
  issues with moment, but we've since pinned the version of moment so we
  shouldn't experience that now
- therefore this commit also removes it from the Renovate ignore list
2021-09-09 10:15:26 +01:00
Daniel Lockyer
c0dc381c5e
Revert "Added GScan to Renovate ignore list"
refs 3f00800132

- this reverts commit 384a1d0a83.
- globally ignored in the commit referenced above
2021-06-22 15:01:48 +01:00
Daniel Lockyer
384a1d0a83
Added GScan to Renovate ignore list
refs 0d2c990013

- we've had to temporarily hold back a GScan update whilst we think
  about theme loading in Ghost
- this commit adds GScan to the Renovate ignore list so it won't
  automatically bump the package
2021-06-22 14:57:43 +01:00
Hannah Wolfe
526993965a
Switch to @trghost/validator, remove validator
- Part of the effort to split Ghost down into smaller, decoupled pieces
- Moved out our internal validator tooling to a separate library
- Replaced all usage of our own tooling and validatorjs directly with @tryghost/validator
- Removed the validatorjs dependency and removed the renovate pin
- This gives us a consistant, smaller, clearer public API for validations
- It will eventually be used on Ghost Admin too
- This way we can start getting up to date with validator whilst not increasing build size
2021-06-16 08:11:22 +01:00
Daniel Lockyer
3421269ee7 Updated tmp dependency to v0.2.1
no issue

- `tmp` 0.1.0 was broken and I added `tmp` to the Renovate ignore list
  to stop it creating PRs - 082160106a
- 0.2.1 is fixed again so we can merge the update and remove it from the
  list
2021-04-19 15:13:55 +01:00
Daniel Lockyer
54a09842a6
Disabled automerging of @TryGhost dependencies
refs 865bc40be2

- we want to disable automerging of TryGhost dependencies into this
  repository, in order to allow merging with emojis in commits
- the referenced commit adds a preset which which is a packageRule
  to match TryGhost dependencies and disable `automergeNonMajor`
2021-04-01 13:19:41 +01:00
Daniel Lockyer
4c9e9313d8 Updated Renovate config
no issue
2020-07-21 16:51:59 +01:00
Daniel Lockyer
b2fa84c7ff Added ghost-storage-base and moment to renovate ignore list
no issue

-
2020-06-11 14:22:39 +01:00
Daniel Lockyer
082160106a Added tmp to Renovate ignore list
no issue

- `tmp` 0.1.0 is broken but a new release isn't coming any time soon so
  we should ignore it for now
2020-04-22 11:13:49 +01:00
Hannah Wolfe
7f1d3ebc07
Move tests from core to root (#11700)
- move all test files from core/test to test/
- updated all imports and other references
- all code inside of core/ is then application code
- tests are correctly at the root level
- consistent with other repos/projects

Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk>
2020-03-30 16:26:47 +01:00
Daniel Lockyer
c7baed9e1f
Updated Renovate config with latest presets
no issue
2020-03-26 07:50:30 +00:00
Daniel Lockyer
e18bbb7053
Configured Renovate to automerge patches from branch
no issue
2020-03-25 20:37:24 +00:00
Daniel Lockyer
037db39b84
Removed Travis maintenance option from Renovate
no issue

- we no longer use Travis
2020-03-25 15:27:57 +00:00
Daniel Lockyer
2b9e494dfc Updated ignored dependencies in Renovate
no issue

- `got` 10.x has a Node 10 bug that makes it pretty much unusable for
  now
- `intl-messageformat` 6.0.0 introduced a breaking change in terms of
  escaping that would be pretty difficult to fix for now
2020-02-25 16:43:04 +00:00
Daniel Lockyer
8624587fb0 Merged metascraper monorepo PRs from Renovate 2020-01-16 16:50:59 +07:00
Naz Gargol
2bebddc68c
Update Renovate Configuration (#10873)
no issue

- Custom schedule initially introduced in 4ddc8310b0 to be able to triage initial influx of PRs druing less work intence time
2019-07-05 15:51:40 +02:00
Nazar Gargol
5aa0a2134b Reverted moment-timezone bump back to 0.5.23
refs #10870

- Added moment-timezone to Renovate's ignore list
- Described reasoning  in https://github.com/TryGhost/Ghost/issues/10870
2019-07-04 13:56:13 +02:00
Rish
bd0e5588be Updated renovate ignore list
no issue

- Added `simple-dom` to renovate ignore dependency list. Mobiledoc-kit's dom renderer will need updates for it to be compatible so we stick to one version across the dom renderer and our own usage of simple-dom
2019-07-03 16:41:20 +05:30
Nazar Gargol
4ddc8310b0 Updated renovate schedule
no issue

- To go through initial flood of PRs we want to have schedule changed just for the first week.
- This commit should be reverted next week
2019-07-01 17:37:14 +02:00
renovate[bot]
c2bb34ff9c Configured Renovate (#10672)
no issue

- Added default config
- Silently automerge test & lint deps
- Added validator to ignoreDeps
- ^ Because we monkeypatch validator prototype with 'extend' method and updating it should be handled more carefully as a separate task. Ref -  https://github.com/TryGhost/Ghost/blob/be27db4/core/server/data/validation/index.js#L55
2019-07-01 14:46:27 +02:00