chore: update step-security/harden-runner action to v2.8.0

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/codeql-analysis.yml

@@ -1,4 +1,4 @@
-name: "CodeQL"
+name: CodeQL
 
 on:
   push:
@@ -9,20 +9,37 @@ on:
   schedule:
     - cron: '0 13 * * 6'
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
 
     steps:
+    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          github.com:443
+          objects.githubusercontent.com:443
+
     - name: Checkout repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      with:
+        persist-credentials: false
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
       with:
-        languages: 'javascript'
+        languages: javascript-typescript
-        config-file: ./.github/codeql/codeql-config.yml
+        config-file: .github/codeql/codeql-config.yml
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+

.github/workflows/continuous-integration.yml

@@ -31,7 +31,7 @@ jobs:
       fail-fast: false
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         if: ${{ matrix.os == 'ubuntu-latest' }}
         with:
           disable-sudo: true
@@ -41,11 +41,11 @@ jobs:
             github.com:443
             nodejs.org:443
             registry.npmjs.org:443
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
@@ -59,7 +59,7 @@ jobs:
     name: Code Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -68,11 +68,11 @@ jobs:
             github.com:443
             nodejs.org:443
             registry.npmjs.org:443
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           persist-credentials: false
       - name: Use Node.js 20
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 20
           cache: 'npm'
@@ -89,19 +89,19 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request }}
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
             github.com:443
             registry.npmjs.org:443
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
           persist-credentials: false
       - name: Use Node.js 20
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 20
           cache: npm
@@ -125,18 +125,18 @@ jobs:
     name: Lockfile Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
             github.com:443
             registry.npmjs.org:443
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           persist-credentials: false
       - name: Use Node.js 20
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 20
           cache: npm

.github/workflows/scorecards.yml

@@ -16,8 +16,6 @@ on:
     - cron: '30 6 * * 5'
   push:
     branches: [master]
-  # Added for testing the workflow, as PR triggers are currently not supported by the OSSF Scorecard Action.
-  workflow_dispatch: {}
 
 # Declare default permissions as read only.
 # permissions: read-all
@@ -34,16 +32,26 @@ jobs:
       id-token: write
 
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         if: ${{ matrix.os == 'ubuntu-latest' }}
         with:
           disable-sudo: true
-          egress-policy: audit
+          egress-policy: block
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            api.securityscorecards.dev:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           persist-credentials: false
 
-      - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+      - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -58,13 +66,13 @@ jobs:
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: OSSF Scorecard SARIF file
           path: results.sarif
           retention-days: 90
 
       # Upload the results to GitHub's code scanning dashboard.
-      - uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
+      - uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
         with:
           sarif_file: results.sarif

CHANGES.md

@@ -1,8 +1,72 @@
-2023-11-13, Version 5.0.3
+2024-02-12, Version 5.0.7
 =========================
 
  * chore: lock file maintenance (renovate[bot])
 
+ * chore: update dependency lockfile-lint to ^4.13.1 (renovate[bot])
+
+ * chore: update dependency lockfile-lint to ^4.13.0 (renovate[bot])
+
+ * chore: update dependency mocha to ^10.3.0 (renovate[bot])
+
+ * chore: update actions/setup-node action to v4.0.2 (renovate[bot])
+
+ * chore: update step-security/harden-runner action to v2.7.0 (renovate[bot])
+
+ * chore: update github/codeql-action action to v3.24.0 (renovate[bot])
+
+ * chore: update github/codeql-action action to v3.23.2 (renovate[bot])
+
+ * chore: update commitlint monorepo to ^18.6.0 (renovate[bot])
+
+ * chore: update github/codeql-action action to v3.23.1 (renovate[bot])
+
+ * chore: update dependency supertest to ^6.3.4 (renovate[bot])
+
+ * chore: update dependency chai to ^4.4.1 (renovate[bot])
+
+ * chore: update github/codeql-action action to v3 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.23.0 (renovate[bot])
+
+ * chore: update dependency chai to ^4.4.0 (renovate[bot])
+
+ * chore: update commitlint monorepo to ^18.4.4 (renovate[bot])
+
+ * chore: update dependency eslint to ^8.56.0 (renovate[bot])
+
+ * chore: update actions/setup-node action to v4.0.1 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.22.12 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.22.10 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.22.9 (renovate[bot])
+
+ * chore: update step-security/harden-runner action to v2.6.1 (renovate[bot])
+
+ * chore: add badges (Rifa Achrinza)
+
+ * ci: further harden workflows (Rifa Achrinza)
+
+ * ci: fix Scorecard issues (Rifa Achrinza)
+
+ * chore: update dependency eslint to ^8.55.0 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.22.8 (renovate[bot])
+
+ * chore: update commitlint monorepo to ^18.4.3 (renovate[bot])
+
+ * chore: update dependency eslint to ^8.54.0 (renovate[bot])
+
+ * chore: update commitlint monorepo to ^18.4.2 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.22.7 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.22.6 (renovate[bot])
+
+ * chore: update commitlint monorepo (renovate[bot])
+
  * fix(cve-2023-29827): replace EJS with Handlebars to resolve security warning (KalleV)
 
  * ci: align CI configuration (Rifa Achrinza)

README.md

@@ -1,5 +1,10 @@
 # strong-error-handler
 
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8058/badge)](https://www.bestpractices.dev/projects/8058)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/loopbackio/strong-error-handler/badge)](https://securityscorecards.dev/viewer/?uri=github.com/loopbackio/strong-error-handler)
+[![Continuous Integration](https://github.com/loopbackio/strong-error-handler/actions/workflows/continuous-integration.yml/badge.svg)](https://github.com/loopbackio/strong-error-handler/actions/workflows/continuous-integration.yml)
+[![CodeQL](https://github.com/loopbackio/strong-error-handler/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/loopbackio/strong-error-handler/actions/workflows/codeql-analysis.yml)
+
 This package is an error handler for use in both development (debug) and production environments.
 
 In production mode, `strong-error-handler` omits details from error responses to prevent leaking sensitive information:

package.json

@@ -2,7 +2,7 @@
   "name": "strong-error-handler",
   "description": "Error handler for use in development and production environments.",
   "license": "MIT",
-  "version": "5.0.3",
+  "version": "5.0.7",
   "engines": {
     "node": ">=16"
   },
@@ -21,21 +21,21 @@
     "debug": "^4.3.4",
     "fast-safe-stringify": "^2.1.1",
     "handlebars": "^4.7.8",
-    "http-status": "^1.7.3",
+    "http-status": "^1.7.4",
     "js2xmlparser": "^5.0.0",
     "strong-globalize": "^6.0.6"
   },
   "devDependencies": {
-    "@commitlint/cli": "^18.2.0",
+    "@commitlint/cli": "^19.3.0",
-    "@commitlint/config-conventional": "^18.1.0",
+    "@commitlint/config-conventional": "^19.2.2",
     "@types/express": "^4.17.21",
-    "chai": "^4.3.10",
+    "chai": "^5.1.1",
-    "eslint": "^8.53.0",
+    "eslint": "^8.57.0",
     "eslint-config-loopback": "^13.1.0",
-    "express": "^4.18.2",
+    "express": "^4.19.2",
-    "lockfile-lint": "^4.12.1",
+    "lockfile-lint": "^4.13.2",
-    "mocha": "^10.2.0",
+    "mocha": "^10.4.0",
-    "supertest": "^6.3.3"
+    "supertest": "^7.0.0"
   },
   "browser": {
     "strong-error-handler": false

test/handler.test.mjs

@@ -5,13 +5,15 @@
 
 'use strict';
 
-const cloneAllProperties = require('../lib/clone.js');
+import cloneAllProperties from '../lib/clone.js';
-const debug = require('debug')('test');
+import debugFactory from 'debug';
-const expect = require('chai').expect;
+import express from 'express';
-const express = require('express');
+import strongErrorHandler from '../lib/handler.js';
-const strongErrorHandler = require('..');
+import supertest from 'supertest';
-const supertest = require('supertest');
+import util from 'node:util';
-const util = require('util');
+import {expect} from 'chai';
+
+const debug = debugFactory('test');
 
 describe('strong-error-handler', function() {
   before(setupHttpServerAndClient);
@@ -137,8 +139,7 @@ describe('strong-error-handler', function() {
         // the error name & message
         expect(msg).to.contain('TypeError: ERROR-NAME');
         // the stack
-        expect(msg).to.contain(__filename);
+        expect(msg).to.contain(import.meta.url);
-
         done();
       });
     });
@@ -161,7 +162,7 @@ describe('strong-error-handler', function() {
         expect(msg).to.contain('TypeError: ERR1');
         expect(msg).to.contain('Error: ERR2');
         // verify that stacks are included too
-        expect(msg).to.contain(__filename);
+        expect(msg).to.contain(import.meta.url);
 
         done();
       });