chore(deps): update dependency typescript to v6#5
Open
cnap-tech-renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency typescript to v6#5cnap-tech-renovate[bot] wants to merge 1 commit into
cnap-tech-renovate[bot] wants to merge 1 commit into
Conversation
cnap-tech-renovate
Bot
force-pushed
the
renovate/typescript-6.x
branch
2 times, most recently
from
a6572a8 to
5674053
Compare
cnap-tech-renovate
Bot
changed the title
cnap-tech-renovate
Bot
changed the title
cnap-tech-renovate
Bot
force-pushed
the
renovate/typescript-6.x
branch
2 times, most recently
from
5674053 to
1451449
Compare
3 tasks
robinbraemer
added a commit
that referenced
this pull request
Apr 29, 2026
Closes the host-side dep-resolver attack surface flagged in the audit. Implements roadmap items #1 and #2 from CLAUDE.md \"\`replace\` and \`path\` deps are workspace-local\". Path-escape guard (resolve_path): - User-authored \`path = \"...\"\` and \`replace = { path = \"...\" }\`: reject absolute paths up front; reject any post-canonicalize result that doesn't start with workspace_root. - Internal vendor / OCI cache paths keep working (PathOrigin enum splits the two callers). AKUA_REJECT_REPLACE: - ResolverOptions.reject_replace; new ChartResolveError::ReplaceRejected. - chart_resolver::replace_rejected_from_env reads \`AKUA_REJECT_REPLACE\` (any non-empty value but \"0\"). - verbs/render.rs ORs ctx.agent.detected into the flag — agent context auto-enables the gate so CI / container / agent invocations refuse to honor publisher-supplied \`replace\` directives. - verbs/add.rs and verbs/vendor.rs honor the env var (they don't get ctx; manual opt-in only). Tests: 5 new unit cases covering absolute rejection, parent-escape, replace-rejected-by-opt, env-var parsing. End-to-end: a fixture with \`replace = { path = \"...\" }\` rendered under Claude Code's agent context now fails with structured E_CHART_RESOLVE \"\`replace\` directive rejected\". 312 + 191 tests green. Companion to bc6c853 (CLAUDE.md invariant). Items #3 (publish strips replace), #4 (hash_dir size cap), #5 (security-model.md section) remain on the roadmap.
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
robinbraemer
added a commit
that referenced
this pull request
May 29, 2026
… reject scheme downgrade Harden the OCI/Helm/git fetch paths against malicious registries and poisoned environments: - oci_transport: char-boundary-safe error-body truncation (was a byte slice that panicked when a multibyte char straddled byte 300); cap response bodies via a streamed counting reader with early Content-Length reject; new ResponseTooLarge + BodyRead error variants. Manifests capped at 32 MiB, blobs at 1 GiB. - oci_fetcher: reject before download when the manifest declares an oversize layer; cap decompressed tar output at 2 GiB via CappedReader (the verified digest covers compressed bytes only — a small valid-digest gzip could otherwise fill the disk). - helm_repo_fetcher: same body + decompression caps; reject an http:// tarball URL served by an index fetched over https:// (scheme-downgrade guard). - git_fetcher: pin ssl_verify=true on every gix connection via set_transport_options so ambient GIT_SSL_NO_VERIFY can't disable cert validation on the first (pre-pin) clone; defense-in-depth single- normal-component guard on tree-entry names before dest.join. Finding #5 was fixed in code (force_tls_verification), not merely documented — gix exposes per-connection transport options that win over the env-derived config.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^5.6.0→^6.0.0Release Notes
microsoft/TypeScript (typescript)
v6.0.3: TypeScript 6.0.3Compare Source
For release notes, check out the release announcement blog post.
Downloads are available on:
v6.0.2: TypeScript 6.0Compare Source
For release notes, check out the release announcement blog post.
Downloads are available on:
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.