chore(deps): update dependency semver to v7.6.3

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semver	7.5.3 -> 7.6.3

---

Release Notes

npm/node-semver (semver)

v7.6.3

Compare Source

Bug Fixes

• 73a3d79 #​726 optimize Range parsing and formatting (#​726) (@​jviide)

Documentation

• 2975ece #​719 fix extra backtick typo (#​719) (@​stdavis)

v7.6.2

Compare Source

Bug Fixes

• 6466ba9 #​713 lru: use map.delete() directly (#​713) (@​negezor, @​lukekarrys)

v7.6.1

Compare Source

Bug Fixes

• c570a34 #​704 linting: no-unused-vars (@​wraithgar)
• ad8ff11 #​704 use internal cache implementation (@​mbtools)
• ac9b357 #​682 typo in compareBuild debug message (#​682) (@​mbtools)

Dependencies

• 988a8de #​709 uninstall lru-cache (#​709)
• 3fabe4d #​704 remove lru-cache

Chores

• dd09b60 #​705 bump @​npmcli/template-oss to 4.22.0 (@​lukekarrys)
• ec49cdc #​701 chore: chore: postinstall for dependabot template-oss PR (@​lukekarrys)
• b236c3d #​696 add benchmarks (#​696) (@​H4ad)
• 692451b #​688 various improvements to README (#​688) (@​mbtools)
• 5feeb7f #​705 postinstall for dependabot template-oss PR (@​lukekarrys)
• 074156f #​701 bump @​npmcli/template-oss from 4.21.3 to 4.21.4 (@​dependabot[bot])

v7.6.0

Compare Source

Features

• a7ab13a #​671 preserve pre-release and build parts of a version on coerce (#​671) (@​madtisa, madtisa, @​wraithgar)

Chores

• 816c7b2 #​667 postinstall for dependabot template-oss PR (@​lukekarrys)
• 0bd24d9 #​667 bump @​npmcli/template-oss from 4.21.1 to 4.21.3 (@​dependabot[bot])
• e521932 #​652 postinstall for dependabot template-oss PR (@​lukekarrys)
• 8873991 #​652 chore: chore: postinstall for dependabot template-oss PR (@​lukekarrys)
• f317dc8 #​652 bump @​npmcli/template-oss from 4.19.0 to 4.21.0 (@​dependabot[bot])
• 7303db1 #​658 add clean() test for build metadata (#​658) (@​jethrodaniel)
• 6240d75 #​656 add missing quotes in README.md (#​656) (@​zyxkad)
• 14d263f #​625 postinstall for dependabot template-oss PR (@​lukekarrys)
• 7c34e1a #​625 bump @​npmcli/template-oss from 4.18.1 to 4.19.0 (@​dependabot[bot])
• 123e0b0 #​622 postinstall for dependabot template-oss PR (@​lukekarrys)
• 737d5e1 #​622 bump @​npmcli/template-oss from 4.18.0 to 4.18.1 (@​dependabot[bot])
• cce6180 #​598 postinstall for dependabot template-oss PR (@​lukekarrys)
• b914a3d #​598 bump @​npmcli/template-oss from 4.17.0 to 4.18.0 (@​dependabot[bot])

v7.5.4

Compare Source

Bug Fixes

• cc6fde2 #​588 trim each range set before parsing (@​lukekarrys)
• 99d8287 #​583 correctly parse long build ids as valid (#​583) (@​lukekarrys)

---

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

[puLL-Merge] - npm/[email protected]

Description

This PR introduces a series of changes aiming at improving the code quality, security, and maintainability of the node-semver package. The modifications range from enhancing ESLint configurations, adding GitHub Actions for checking and installing npm, modifying the dependabot configuration to handle more systematic updates, refining the repository settings, particularly around pull request handling and branch protections, and updating workflows to use newer node versions and improve CI/CD processes.

Changes

Changes

.eslintrc.js

• Added ignorePatterns to exclude 'tap-testdir*' directories from linting processes.

.github/actions/create-check/action.yml (New File)

• Implements a new GitHub Action for creating checks, especially useful for CI/CD pipelines.

.github/actions/install-latest-npm/action.yml (New File)

• Added a new GitHub action for installing the latest compatible version of npm according to the Node version in use.

.github/dependabot.yml

• Adjustments to dependabot configuration to specify target-branch for updates and extend the scope to additional branches ('release/v5', 'release/v6') with specific rules for each.

.github/settings.yml

• Introduced more granular branch protection rules and restrictions, including requirements for pull request reviews, code owner reviews, and branch creation blocking for main, release/v5, and release/v6 branches.

GitHub Workflows (.github/workflows/*.yml)

• Significant updates across various workflows (audit.yml, ci-release.yml, ci.yml, codeql-analysis.yml, post-dependabot.yml, pull-request.yml, release-integration.yml, release.yml):
  • Upgraded Node versions to 20.x in several workflows.
  • Streamlined the use of newly introduced GitHub actions, like install-latest-npm.
  • Adjusted to new approaches for creating checks and handling PR comments.
  • Introduced 'release-integration.yml' as a new workflow for handling release integrations.

.gitignore

• Added rule to ignore 'tap-testdir*' directories.
• Added exclusion for 'tsconfig.json'.

.release-please-manifest.json

• Version bump to "7.6.0".

CHANGELOG.md

• Documented changes for the new version.

README.md

• Updates to documentation reflecting new coercing behavior for pre-release and build parts of versions.

JavaScript Files (*.js in various directories)

• Various code adjustments and improvements to match the updated configurations and workflows.
  • This includes changes to regex patterns, SemVer parsing logic, coercing functions, test cases, and others, which reflect enhanced functionality or code quality improvements.

Security Hotspots

1. GitHub Actions Security: The inclusion of new GitHub Actions scripts (create-check, install-latest-npm) opens potential vectors for security concerns if the actions are not properly secured, especially regarding the use of secrets.
   Risk: Medium
   Files:

   • .github/actions/create-check/action.yml
   • .github/actions/install-latest-npm/action.yml

2. Dependabot Configuration: Extensive changes to the dependabot configuration may inadvertently introduce security issues if dependency updates are not properly vetted or if automatic PR merging is enabled without human review.
   Risk: Low
   File: .github/dependabot.yml

3. External GitHub Action Usage: The workflows use external GitHub actions (LouisBrunner/[email protected], actions/github-script@v6). While common, reliance on third-party actions carries inherent risk if those actions become compromised.
   Risk: Medium
   Example Files:

   • .github/workflows/audit.yml
   • .github/workflows/ci-release.yml

4. Privilege Escalation via Workflow Misconfigurations: The new or modified GitHub workflows should be carefully reviewed to ensure they do not inadvertently provide escalated privileges to GitHub actions, particularly through the misuse of GitHub secrets or the execution environment.
   Risk: Medium
   Example File: .github/workflows/release-integration.yml

Review of these areas is recommended to ensure they adhere to best security practices and do not introduce unintended vulnerabilities into the project.

[github-actions]

[puLL-Merge] - npm/[email protected]

Description

This PR updates the semver package to version 7.6.1. It includes bug fixes, dependency updates, and chore updates.

Changes

Changes

• .commitlintrc.js: Updates commitlint rules to be less strict on subject case and body line length.
• .eslintrc.js: Adds tap-testdir*/ to ignorePatterns.
• .github/actions/create-check/action.yml: Adds a new GitHub action to create checks.
• .github/actions/install-latest-npm/action.yml: Adds a new GitHub action to install the latest compatible npm version.
• .github/dependabot.yml: Configures Dependabot to target release/* branches and limit open PRs.
• .github/settings.yml: Updates branch protections and required reviews.
• .github/workflows/: Updates all workflows to use the new GitHub actions, test on more Node versions and macOS 13. Adds release-integration.yml.
• .gitignore: Adds tap-testdir*/ and /benchmarks.
• CHANGELOG.md: Adds entries for 7.6.1, 7.6.0 and 7.5.4 releases.
• README.md: Various improvements and updates.
• benchmarks/: Adds benchmark scripts.
• bin/semver.js: Refactors semver CLI to be more efficient.
• internal/re.js: Adds support for long build IDs.
• package.json: Bumps version to 7.6.1, updates dependencies, refines npm scripts.
• release-please-config.json: Configures Release Please bot.
• Multiple test files: Adds new tests, makes some existing tests stricter.

Security Hotspots

None found. The changes look safe and do not introduce any obvious security vulnerabilities.

Overall this is a solid maintenance release with useful improvements and fixes. The new features like supporting prerelease/build parts in coerce are well tested. Adding benchmark scripts is a nice enhancement too.

Let me know if you have any other questions! The PR looks good to merge from my review.

[github-actions]

[puLL-Merge] - npm/[email protected]

Description

This PR updates the semver library to version 7.6.2. The main changes include:

• Fixing various bugs related to comparisons, parsing, and the lru-cache dependency
• Adding new benchmarking tests
• Upgrading dependencies like @npmcli/template-oss
• Improving documentation in the README
• Preserving prerelease and build parts when using coerce() with the includePrerelease option

The motivation appears to be fixing bugs, improving performance, and adding some new functionality while keeping the library up-to-date.

Changes

Changes

• .commitlintrc.js: Relaxed some commitlint rules around subject case and body line length
• .eslintrc.js: Added tap-testdir*/ to ignored patterns
• .github/:
  • Added new reusable workflow for creating checks
  • Added new reusable workflow for installing latest compatible npm version
  • Updated dependabot config to support older release branches
  • Other workflow updates and improvements
• .gitignore: Added tap-testdir*/ to ignored paths
• README.md: Various documentation improvements and updates
• benchmarks/: Added new benchmark tests for comparing, parsing, satisfying versions
• bin/semver.js: Refactored success function logic directly into main
• classes/range.js: Switched to use internal LRUCache, call trim() on ranges
• classes/semver.js: Removed test for invalid version numbers
• functions/coerce.js: Support includePrerelease option to preserve prerelease and build parts
• internal/: Added custom LRUCache implementation, removed lru-cache dependency
• package.json: Version bump to 7.6.2, removed lru-cache dependency
• test/: Various test additions and updates

Security Hotspots

None found. The changes appear to be safe bug fixes, refactorings and enhancements. Switching to a custom LRUCache implementation removes a third-party dependency.

Let me know if you have any other questions!

[github-actions]

[puLL-Merge] - npm/[email protected]

Description

This PR updates the node-semver package with several improvements and changes across multiple files. The changes include performance optimizations, new features, bug fixes, and updates to the project configuration.

Changes

Changes

1. .commitlintrc.js:

   • Simplified subject-case rule
   • Added body-max-line-length rule

2. .eslintrc.js:

   • Added ignore pattern for tap-testdir

3. .github/actions/:

   • Added new GitHub Actions for creating checks and installing the latest npm version

4. .github/dependabot.yml:

   • Updated configuration for dependency management

5. .github/settings.yml:

   • Updated branch protection rules

6. .github/workflows/:

   • Updated CI, release, and audit workflows

7. .gitignore:

   • Added exclusion for tap-testdir and included benchmarks directory

8. CHANGELOG.md:

   • Updated with new versions and changes

9. README.md:

   • Improved documentation and examples

10. benchmarks/:

    • Added new benchmark files for various functions

11. bin/semver.js:

    • Refactored main function for better performance

12. classes/range.js:

    • Optimized Range parsing and formatting

13. classes/semver.js:

    • Minor updates to debug messages

14. functions/coerce.js:

    • Enhanced coercion functionality

15. internal/lrucache.js:

    • Implemented a custom LRU cache

16. internal/re.js:

    • Updated regular expressions for version parsing

17. package.json:

    • Updated version to 7.6.3
    • Updated dependencies and dev dependencies
    • Removed lru-cache dependency

18. release-please-config.json:

    • Updated release configuration

19. test/:

    • Added and updated various test cases

Possible Issues

• The removal of the lru-cache dependency and implementation of a custom LRU cache might introduce performance differences that should be carefully monitored.

Security Hotspots

No significant security issues were identified in this PR.