Merge pull request #1732 from forcedotcom/release-4.9.0

RELEASE @W-17615470@: Conducting 4.9.0 release

Author: stephen-carter-at-sf

.github/workflows/create-release-branch.yml

@@ -58,7 +58,6 @@ jobs:
           git push --set-upstream origin $INTERIM_BRANCH_NAME
       # Update dependencies.
       - run: |
-          yarn upgrade
           node tools/UpdateRetireJsVulns.js
       # Use the GraphQL API to create a signed commit with the various changes.
       - name: Commit to interim branch
@@ -70,12 +69,11 @@ jobs:
           MESSAGE="Preparing for v$NEW_VERSION release."
           # GraphQL needs the latest versions of the files we changed, as Base64 encoded strings.
           NEW_PACKAGE="$(cat package.json | base64)"
-          NEW_YARN_LOCK="$(cat yarn.lock | base64)"
           NEW_RETIREJS_VULNS="$(cat retire-js/RetireJsVulns.json | base64)"
           gh api graphql -F message="$MESSAGE" -F oldOid=`git rev-parse HEAD` -F branch="$BRANCH" \
-          -F newPackage="$NEW_PACKAGE" -F newYarnLock="$NEW_YARN_LOCK" -F newRetireJsVulns="$NEW_RETIREJS_VULNS" \
+          -F newPackage="$NEW_PACKAGE" -F newRetireJsVulns="$NEW_RETIREJS_VULNS" \
           -f query='
-            mutation ($message: String!, $oldOid: GitObjectID!, $branch: String!, $newPackage: Base64String!, $newYarnLock: Base64String!, $newRetireJsVulns: Base64String!) {
+            mutation ($message: String!, $oldOid: GitObjectID!, $branch: String!, $newPackage: Base64String!, $newRetireJsVulns: Base64String!) {
               createCommitOnBranch(input: {
                 branch: {
                   repositoryNameWithOwner: "forcedotcom/sfdx-scanner",
@@ -89,9 +87,6 @@ jobs:
                     {
                       path: "package.json",
                       contents: $newPackage
-                    }, {
-                      path: "yarn.lock",
-                      contents: $newYarnLock
                     }, {
                       path: "retire-js/RetireJsVulns.json",
                       contents: $newRetireJsVulns

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "4.8.0",
+	"version": "4.9.0",
 	"author": "Salesforce Code Analyzer Team",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {
@@ -143,13 +143,13 @@
 		"prepack": "rm -rf lib && tsc -b && oclif manifest && oclif readme && oclif lock && npm shrinkwrap",
 		"postpack": "rm -f oclif.manifest.json oclif.lock npm-shrinkwrap.json",
 		"lint-typescript": "eslint ./src --ext .ts --max-warnings 0",
-		"test": "./gradlew test jacocoTestCoverageVerification && nyc mocha --timeout 60000 --retries 5 \"./test/**/*.test.ts\"",
-		"test-quiet": "cross-env SFGE_LOGGING=false ./gradlew test jacocoTestCoverageVerification && nyc mocha --timeout 60000 --retries 5 \"./test/**/*.test.ts\"",
+		"test": "./gradlew test jacocoTestCoverageVerification && cross-env NODE_OPTIONS=--no-experimental-strip-types nyc mocha --timeout 60000 --retries 5 \"./test/**/*.test.ts\"",
+		"test-quiet": "cross-env SFGE_LOGGING=false ./gradlew test jacocoTestCoverageVerification && cross-env NODE_OPTIONS=--no-experimental-strip-types nyc mocha --timeout 60000 --retries 5 \"./test/**/*.test.ts\"",
 		"test-cli-messaging": "./gradlew cli-messaging:test cli-messaging:jacocoTestCoverageVerification",
 		"test-pmd-cataloger": "./gradlew pmd-cataloger:test pmd-cataloger:jacocoTestCoverageVerification",
 		"test-sfge": "./gradlew sfge:test sfge:jacocoTestCoverageVerification",
 		"test-sfge-quiet": "cross-env SFGE_LOGGING=false ./gradlew sfge:test sfge:jacocoTestCoverageVerification",
-		"test-typescript": "tsc -b && nyc mocha --timeout 60000 \"./test/**/*.test.ts\"",
+		"test-typescript": "tsc -b && cross-env NODE_OPTIONS=--no-experimental-strip-types nyc mocha --timeout 60000 \"./test/**/*.test.ts\"",
 		"version": "oclif readme && git add README.md"
 	}
 }

pmd7/build.gradle.kts

@@ -10,7 +10,7 @@ repositories {
 }
 
 // Keep this in sync with src/Constants.ts > PMD7_VERSION
-var pmd7Version = "7.8.0"
+var pmd7Version = "7.9.0"
 
 val pmdDist7Dir = "$buildDir/../../dist/pmd7"
 
@@ -26,6 +26,18 @@ dependencies {
   implementation("net.sourceforge.pmd:pmd-xml:$pmd7Version")
 }
 
+// TEMPORARY - FOR SOME REASON WHEN UPGRADING TO PMD 7.9.0, THE TRANSITIVE DEPENDENCY:
+//    io.github.apex-dev-tools:apex-parser
+// IS GETTING PULLED IN AS 4.3.1 INSTEAD OF THE LISTED 4.3.0 AND IT SEEMS TO HAVE A BUG: A MISSING DEPENDENCY LISTED.
+// SO WE SHOULD FORCE 4.3.0 TO GET PULLED IN INSTEAD UNTIL THIS IS FIXED.
+// See https://github.com/pmd/pmd/issues/5456
+// TODO: As soon as the pmd folks fix this ^... we should remove this workaround:
+configurations.all {
+  resolutionStrategy {
+    force("io.github.apex-dev-tools:apex-parser:4.3.0")
+  }
+}
+
 tasks.register<Copy>("copyDependencies") {
   from(configurations.runtimeClasspath)
   into("$pmdDist7Dir/lib")

retire-js/RetireJsVulns.json

@@ -4957,8 +4957,7 @@
         "identifiers": {
           "summary": "Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4",
           "CVE": [
-            "CVE-2022-31129",
-            "CVE-2023-22467"
+            "CVE-2022-31129"
           ],
           "githubID": "GHSA-wc69-rhjr-hc9g"
         },
@@ -6815,6 +6814,27 @@
           "https://github.com/vercel/next.js"
         ]
       },
+      {
+        "atOrAbove": "13.0.0",
+        "below": "13.5.8",
+        "cwe": [
+          "CWE-770"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Next.js Allows a Denial of Service (DoS) with Server Actions",
+          "CVE": [
+            "CVE-2024-56332"
+          ],
+          "githubID": "GHSA-7m27-7ghc-44w9"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-7m27-7ghc-44w9",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-56332",
+          "https://github.com/vercel/next.js"
+        ]
+      },
       {
         "atOrAbove": "13.4.0",
         "below": "14.1.1",
@@ -6906,6 +6926,48 @@
           "https://github.com/vercel/next.js",
           "https://github.com/vercel/next.js/releases/tag/v14.2.15"
         ]
+      },
+      {
+        "atOrAbove": "14.0.0",
+        "below": "14.2.21",
+        "cwe": [
+          "CWE-770"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Next.js Allows a Denial of Service (DoS) with Server Actions",
+          "CVE": [
+            "CVE-2024-56332"
+          ],
+          "githubID": "GHSA-7m27-7ghc-44w9"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-7m27-7ghc-44w9",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-56332",
+          "https://github.com/vercel/next.js"
+        ]
+      },
+      {
+        "atOrAbove": "15.0.0",
+        "below": "15.1.2",
+        "cwe": [
+          "CWE-770"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Next.js Allows a Denial of Service (DoS) with Server Actions",
+          "CVE": [
+            "CVE-2024-56332"
+          ],
+          "githubID": "GHSA-7m27-7ghc-44w9"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-7m27-7ghc-44w9",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-56332",
+          "https://github.com/vercel/next.js"
+        ]
       }
     ],
     "extractors": {
@@ -7867,7 +7929,6 @@
         "identifiers": {
           "summary": "PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF",
           "CVE": [
-            "CVE-2024-34342",
             "CVE-2024-4367"
           ],
           "githubID": "GHSA-wgrm-67xf-hhpq"

src/Constants.ts

@@ -2,7 +2,7 @@ import os = require('os');
 import path = require('path');
 
 // Keep this in sync with <repoRoot>/pmd7/build.gradle.kts > pmd7Version
-export const PMD7_VERSION = '7.8.0';
+export const PMD7_VERSION = '7.9.0';
 
 export const PMD_APPEXCHANGE_RULES_VERSION = '0.16';