fix: Bump target EcmaSript to 2022, and future security improvements

MaxymVlasov · Feb 23, 2025 · 9ff647c · 9ff647c
1 parent dc8fde9
commit 9ff647c
Show file tree

Hide file tree

Showing 6 changed files with 130 additions and 180 deletions.
diff --git a/.coderabbit.yaml b/.coderabbit.yaml
@@ -1,79 +1,16 @@
 # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
-language: en-US
-tone_instructions: ''
-early_access: false
-enable_free_tier: true
 reviews:
-  path_instructions: []
-
-  profile: chill
-  request_changes_workflow: false
-  high_level_summary: true
-  high_level_summary_placeholder: '@coderabbitai summary'
-  high_level_summary_in_walkthrough: false
-  auto_title_placeholder: '@coderabbitai'
-  auto_title_instructions: ''
-  review_status: true
-  commit_status: true
-  fail_commit_status: false
-  collapse_walkthrough: true  # TODO: Test this
-  changed_files_summary: true
-  sequence_diagrams: true
-  assess_linked_issues: true
-  related_issues: true
-  related_prs: true
-  suggested_labels: true
-  auto_apply_labels: false
-  suggested_reviewers: true
+  # Collapse main AI comment by default, as it takes too much space when
+  # expanded. It also is needless for subsequent rounds of PR review, mostly
+  # only for the first one
+  collapse_walkthrough: true
+  # Disable false-positive cross links to issues
+  related_issues: false
+  # Disable false-positive cross links to PRs
+  related_prs: false
+  # Disable useless Poem generation
   poem: false
-  labeling_instructions: []
-  path_filters: []
-  abort_on_close: false
+
   auto_review:
-    enabled: true
-    auto_incremental_review: true
-    ignore_title_keywords: []
-    labels: []
+    # Enable AI review for Draft PRs
     drafts: true
-    base_branches:
-      - main
-  finishing_touches:
-    docstrings:
-      enabled: true
-  tools:
-    markdownlint:
-      enabled: true
-    github-checks:
-      enabled: true
-      timeout_ms: 90000
-    languagetool:
-      enabled: true
-      enabled_only: false
-      level: default
-    biome:
-      enabled: true
-    yamllint:
-      enabled: true
-    gitleaks:
-      enabled: true
-    checkov:
-      enabled: true
-    eslint:
-      enabled: true
-    actionlint:
-      enabled: true
-    semgrep:
-      enabled: true
-chat:
-  auto_reply: true
-knowledge_base:
-  opt_out: false
-  learnings:
-    scope: auto
-  issues:
-    scope: auto
-  jira:
-    usage: auto
-    project_keys: []
-  pull_requests:
-    scope: auto
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -1,5 +1,23 @@
 # Reporting a Vulnerability
 
-If you discover a potential security issue in this project, please notify me by emailing <mailto:dive-action-security.y7uio@passinbox.com>.
+If you believe you have discovered a potential security vulnerability in this project, please report it securely. **Do not create a public GitHub issue for any security concerns.**
 
-Please do **not** create a public github issue.
+## How to Report
+
+Send an email with a detailed description of the vulnerability—including any evidence of disclosure, the impact, and any timelines related to the issue—to our security team at:  
+[dive-action-security.y7uio@passinbox.com](mailto:dive-action-security.y7uio@passinbox.com)
+
+## Vulnerability Disclosure Process
+
+- **Confidential Disclosure:** All vulnerability reports will be kept confidential until a fix is developed and verified.
+- **Assessment and Response:** We aim to acknowledge any valid report within 15 business days.
+- **Timelines:** After verification, we plan to have a coordinated disclosure within 60 days, though this may vary depending on the complexity of the fix.
+- **Communication:** We will work directly with you to clarify details, answer questions, and discuss potential mitigations.
+- **Updates:** We may provide periodic updates on the progress of remediating the reported vulnerability.
+
+## Guidelines
+
+- **Vulnerability Definition:** A vulnerability is any flaw or weakness in this project that can be exploited to compromise system security.
+- **Disclosure Expectations:** When you report a vulnerability, please include as much detail as possible to enable us to assess its validity and scope without exposing sensitive information publicly.
+
+By following this process, you help us improve the security of our project while protecting users and maintainers. We appreciate your efforts to responsibly disclose vulnerabilities.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -43,6 +43,7 @@ repos:
 
       # JSON
       - id: check-json  # checks json files for parseable syntax.
+        exclude: ^tsconfig\.json$  # JSONC file
       - id: pretty-format-json  # sets a standard for formatting .json files
         args:
           - --autofix
@@ -57,6 +58,7 @@ repos:
           - --autofix
           - --no-sort-keys
         files: *json
+        exclude: ^tsconfig\.json$  # JSONC file
 
 
       # Symlinks

diff --git a/dist/index.js b/dist/index.js
@@ -39,15 +39,6 @@ var __importStar = (this && this.__importStar) || (function () {
         return result;
     };
 })();
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -108,12 +99,14 @@ function composeComment(diveOutput, customLeadingComment) {
     }
     return ret.join('\n');
 }
-function postComment(ghToken_1, diveOutput_1) {
-    return __awaiter(this, arguments, void 0, function* (ghToken, diveOutput, customLeadingComment = []) {
-        const octokit = github.getOctokit(ghToken);
-        const comment = Object.assign(Object.assign({}, github.context.issue), { issue_number: github.context.issue.number, body: composeComment(diveOutput, customLeadingComment) });
-        yield octokit.rest.issues.createComment(comment);
-    });
+async function postComment(ghToken, diveOutput, customLeadingComment = []) {
+    const octokit = github.getOctokit(ghToken);
+    const comment = {
+        ...github.context.issue,
+        issue_number: github.context.issue.number,
+        body: composeComment(diveOutput, customLeadingComment)
+    };
+    await octokit.rest.issues.createComment(comment);
 }
 function error(message) {
     core.setOutput('error', message);
@@ -135,99 +128,97 @@ function error(message) {
  *
  * @beta
  */
-function run() {
-    return __awaiter(this, void 0, void 0, function* () {
-        try {
-            const image = core.getInput('image');
-            if (!image) {
-                error('Missing required parameter: image');
-            }
-            const configFile = core.getInput('config-file');
-            const highestWastedBytes = core.getInput('highest-wasted-bytes');
-            const highestUserWastedRatio = core.getInput('highest-user-wasted-ratio');
-            const lowestEfficiencyRatio = core.getInput('lowest-efficiency-ratio');
-            // Convert always-comment input to boolean value.
-            // All values other than 'true' are considered false.
-            const alwaysComment = core.getInput('always-comment').toLowerCase() === 'true';
-            const ghToken = core.getInput('github-token');
-            if (alwaysComment && !ghToken) {
-                error('"always-comment" parameter requires "github-token" to be set.');
-            }
-            const diveRepo = core.getInput('dive-image-registry');
-            // Validate Docker image name format
-            if (!/^[\w.\-_/]+$/.test(diveRepo)) {
-                error('Invalid dive-image-registry format');
-            }
-            const diveVersion = core.getInput('dive-image-version');
-            const diveImage = `${diveRepo}:${diveVersion}`;
-            yield exec.exec('docker', ['pull', diveImage]);
-            const commandOptions = [
-                '-e',
-                'CI=true',
-                '-e',
-                'DOCKER_API_VERSION=1.45',
-                '--rm',
-                '-v',
-                '/var/run/docker.sock:/var/run/docker.sock'
-            ];
-            const hasConfigFile = fs_1.default.existsSync(configFile);
-            const configFileDefaultPath = `${process.env.GITHUB_WORKSPACE}/.dive.yaml`;
-            if (!hasConfigFile && configFile !== configFileDefaultPath) {
-                error(`Config file not found in the specified path '${configFile}'\n` +
-                    `github.workspace value is: '${process.env.GITHUB_WORKSPACE}'`);
-            }
-            if (hasConfigFile) {
-                commandOptions.push('--mount', `type=bind,source=${configFile},target=/.dive-ci`);
-            }
-            const parameters = ['run', ...commandOptions, diveImage, image];
-            if (hasConfigFile) {
-                parameters.push('--ci-config', '/.dive-ci');
-            }
-            if (lowestEfficiencyRatio) {
-                parameters.push('--lowestEfficiency', lowestEfficiencyRatio);
-            }
-            if (highestUserWastedRatio) {
-                parameters.push('--highestUserWastedPercent', highestUserWastedRatio);
-            }
-            if (highestWastedBytes) {
-                parameters.push('--highestWastedBytes', highestWastedBytes);
-            }
-            let diveOutput = '';
-            const execOptions = {
-                ignoreReturnCode: true,
-                listeners: {
-                    stdout: (data) => {
-                        diveOutput += data.toString();
-                    },
-                    stderr: (data) => {
-                        diveOutput += data.toString();
-                    }
+async function run() {
+    try {
+        const image = core.getInput('image');
+        if (!image) {
+            error('Missing required parameter: image');
+        }
+        const configFile = core.getInput('config-file');
+        const highestWastedBytes = core.getInput('highest-wasted-bytes');
+        const highestUserWastedRatio = core.getInput('highest-user-wasted-ratio');
+        const lowestEfficiencyRatio = core.getInput('lowest-efficiency-ratio');
+        // Convert always-comment input to boolean value.
+        // All values other than 'true' are considered false.
+        const alwaysComment = core.getInput('always-comment').toLowerCase() === 'true';
+        const ghToken = core.getInput('github-token');
+        if (alwaysComment && !ghToken) {
+            error('"always-comment" parameter requires "github-token" to be set.');
+        }
+        const diveRepo = core.getInput('dive-image-registry');
+        // Validate Docker image name format
+        if (!/^[\w.\-_/]+$/.test(diveRepo)) {
+            error('Invalid dive-image-registry format');
+        }
+        const diveVersion = core.getInput('dive-image-version');
+        const diveImage = `${diveRepo}:${diveVersion}`;
+        await exec.exec('docker', ['pull', diveImage]);
+        const commandOptions = [
+            '-e',
+            'CI=true',
+            '-e',
+            'DOCKER_API_VERSION=1.45',
+            '--rm',
+            '-v',
+            '/var/run/docker.sock:/var/run/docker.sock'
+        ];
+        const hasConfigFile = fs_1.default.existsSync(configFile);
+        const configFileDefaultPath = `${process.env.GITHUB_WORKSPACE}/.dive.yaml`;
+        if (!hasConfigFile && configFile !== configFileDefaultPath) {
+            error(`Config file not found in the specified path '${configFile}'\n` +
+                `github.workspace value is: '${process.env.GITHUB_WORKSPACE}'`);
+        }
+        if (hasConfigFile) {
+            commandOptions.push('--mount', `type=bind,source=${configFile},target=/.dive-ci`);
+        }
+        const parameters = ['run', ...commandOptions, diveImage, image];
+        if (hasConfigFile) {
+            parameters.push('--ci-config', '/.dive-ci');
+        }
+        if (lowestEfficiencyRatio) {
+            parameters.push('--lowestEfficiency', lowestEfficiencyRatio);
+        }
+        if (highestUserWastedRatio) {
+            parameters.push('--highestUserWastedPercent', highestUserWastedRatio);
+        }
+        if (highestWastedBytes) {
+            parameters.push('--highestWastedBytes', highestWastedBytes);
+        }
+        let diveOutput = '';
+        const execOptions = {
+            ignoreReturnCode: true,
+            listeners: {
+                stdout: (data) => {
+                    diveOutput += data.toString();
+                },
+                stderr: (data) => {
+                    diveOutput += data.toString();
                 }
-            };
-            const exitCode = yield exec.exec('docker', parameters, execOptions);
-            const scanFailedErrorMsg = `Scan failed (exit code: ${exitCode})`;
-            if (alwaysComment) {
-                yield postComment(ghToken, diveOutput);
-                if (exitCode === 0)
-                    return;
-                error(scanFailedErrorMsg);
             }
+        };
+        const exitCode = await exec.exec('docker', parameters, execOptions);
+        const scanFailedErrorMsg = `Scan failed (exit code: ${exitCode})`;
+        if (alwaysComment) {
+            await postComment(ghToken, diveOutput);
             if (exitCode === 0)
                 return;
-            if (!ghToken) {
-                error(`Scan failed (exit code: ${exitCode}).\nTo post scan results as ` +
-                    'a PR comment, please provide the github-token in the action inputs.');
-            }
-            yield postComment(ghToken, diveOutput, [
-                '> [!WARNING]',
-                '> The container image has inefficient files.'
-            ]);
             error(scanFailedErrorMsg);
         }
-        catch (e) {
-            error(e instanceof Error ? e.message : String(e));
+        if (exitCode === 0)
+            return;
+        if (!ghToken) {
+            error(`Scan failed (exit code: ${exitCode}).\nTo post scan results as ` +
+                'a PR comment, please provide the github-token in the action inputs.');
         }
-    });
+        await postComment(ghToken, diveOutput, [
+            '> [!WARNING]',
+            '> The container image has inefficient files.'
+        ]);
+        error(scanFailedErrorMsg);
+    }
+    catch (e) {
+        error(e instanceof Error ? e.message : String(e));
+    }
 }
 run();
 

diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/tsconfig.json b/tsconfig.json
@@ -1,8 +1,10 @@
 {
   "compilerOptions": {
-    "target": "es2015",
+    // ECMAScript 2022 is the latest version of ECMAScript that is
+    // supported by the NodeJS 20 used in GHA
+    "target": "es2022",
     "lib": [
-      "ES2015"
+      "ES2022"
     ],
     "module": "commonjs",
     "outDir": "./lib",