diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 40c299561ae..8c1041d7456 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,9 @@ on: # Make this a reusable workflow, no value needed # https://docs.github.com/en/actions/using-workflows/reusing-workflows +permissions: + contents: read + jobs: build_core: name: Core diff --git a/.github/workflows/create-production-pr.yml b/.github/workflows/create-production-pr.yml index adf731fa83f..0f9f728f57f 100644 --- a/.github/workflows/create-production-pr.yml +++ b/.github/workflows/create-production-pr.yml @@ -27,6 +27,9 @@ jobs: create-stencil-release-pull-request: name: Generate Stencil Release PR runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: # Log the input from GitHub Actions for easy traceability - name: Log GitHub Input diff --git a/.github/workflows/lint-and-format.yml b/.github/workflows/lint-and-format.yml index eb06eedbf65..299f384e976 100644 --- a/.github/workflows/lint-and-format.yml +++ b/.github/workflows/lint-and-format.yml @@ -6,6 +6,9 @@ on: # Make this a reusable workflow, no value needed # https://docs.github.com/en/actions/using-workflows/reusing-workflows +permissions: + contents: read + jobs: format: name: Check diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8ffff260655..939712874a6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -14,6 +14,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build_core: name: Build diff --git a/.github/workflows/release-dev.yml b/.github/workflows/release-dev.yml index db8847d63ce..d3d466932cf 100644 --- a/.github/workflows/release-dev.yml +++ b/.github/workflows/release-dev.yml @@ -10,6 +10,9 @@ on: description: The version that was just published to npm. value: ${{ jobs.get-dev-version.outputs.dev-version }} +permissions: + contents: read + jobs: build_core: name: Build @@ -57,6 +60,7 @@ jobs: needs: [get-dev-version, build_core] runs-on: ubuntu-22.04 permissions: + contents: read id-token: write steps: - name: Checkout Code diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index 01d56da2d08..900eeee4ea6 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -9,6 +9,9 @@ on: workflow_dispatch: # Allow this workflow to be run on-demand +permissions: + contents: read + jobs: build_core: name: Build @@ -59,6 +62,7 @@ jobs: needs: [get-nightly-version, build_core] runs-on: ubuntu-22.04 permissions: + contents: read id-token: write steps: - name: Checkout Code diff --git a/.github/workflows/test-analysis.yml b/.github/workflows/test-analysis.yml index c00ef7dc99f..49b903365ef 100644 --- a/.github/workflows/test-analysis.yml +++ b/.github/workflows/test-analysis.yml @@ -5,6 +5,9 @@ on: # Make this a reusable workflow, no value needed # https://docs.github.com/en/actions/using-workflows/reusing-workflows +permissions: + contents: read + jobs: analysis_test: name: (${{ matrix.os }}.${{ matrix.node }}) diff --git a/.github/workflows/test-bundlers.yml b/.github/workflows/test-bundlers.yml index b72a4d73e0b..3a80a6cbd30 100644 --- a/.github/workflows/test-bundlers.yml +++ b/.github/workflows/test-bundlers.yml @@ -5,6 +5,9 @@ on: # Make this a reusable workflow, no value needed # https://docs.github.com/en/actions/using-workflows/reusing-workflows +permissions: + contents: read + jobs: bundler_tests: name: Verify Bundlers diff --git a/.github/workflows/test-component-starter.yml b/.github/workflows/test-component-starter.yml index 24ea5e98316..2747d952474 100644 --- a/.github/workflows/test-component-starter.yml +++ b/.github/workflows/test-component-starter.yml @@ -5,6 +5,9 @@ on: # Make this a reusable workflow, no value needed # https://docs.github.com/en/actions/using-workflows/reusing-workflows +permissions: + contents: read + jobs: analysis_test: name: (${{ matrix.os }}.node-${{ matrix.node }}.jest-${{ matrix.jest }}) diff --git a/.github/workflows/test-copytask.yml b/.github/workflows/test-copytask.yml index 2f2b6ea7783..9ee47f28eb8 100644 --- a/.github/workflows/test-copytask.yml +++ b/.github/workflows/test-copytask.yml @@ -5,13 +5,16 @@ on: # Make this a reusable workflow, no value needed # https://docs.github.com/en/actions/using-workflows/reusing-workflows +permissions: + contents: read + jobs: bundler_tests: name: Verify Copy Task runs-on: 'ubuntu-22.04' steps: - name: Checkout Code - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Get Core Dependencies uses: ./.github/workflows/actions/get-core-dependencies diff --git a/.github/workflows/test-docs-build.yml b/.github/workflows/test-docs-build.yml index 6c43d221080..07c329d4e93 100644 --- a/.github/workflows/test-docs-build.yml +++ b/.github/workflows/test-docs-build.yml @@ -5,13 +5,16 @@ on: # Make this a reusable workflow, no value needed # https://docs.github.com/en/actions/using-workflows/reusing-workflows +permissions: + contents: read + jobs: docs_build_test: name: (${{ matrix.os }}.${{ matrix.node }}) strategy: fail-fast: false matrix: - node: ['16', '18', '20', '22'] + node: ['18', '20', '22'] os: ['ubuntu-latest', 'windows-latest'] runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index f305f838915..de697324138 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -5,6 +5,9 @@ on: # Make this a reusable workflow, no value needed # https://docs.github.com/en/actions/using-workflows/reusing-workflows +permissions: + contents: read + jobs: e2e_test: name: (${{ matrix.os }}.${{ matrix.node }}) diff --git a/.github/workflows/test-types.yml b/.github/workflows/test-types.yml index 635debfd770..a8a6cfd1989 100644 --- a/.github/workflows/test-types.yml +++ b/.github/workflows/test-types.yml @@ -5,11 +5,16 @@ on: # Make this a reusable workflow, no value needed # https://docs.github.com/en/actions/using-workflows/reusing-workflows +permissions: + contents: read + jobs: unit_test: name: Type Tests strategy: fail-fast: false + matrix: + node: ['18', '20', '22'] runs-on: ubuntu-latest steps: - name: Checkout Code diff --git a/.github/workflows/test-unit.yml b/.github/workflows/test-unit.yml index 95214cf54af..7c4090329b4 100644 --- a/.github/workflows/test-unit.yml +++ b/.github/workflows/test-unit.yml @@ -5,13 +5,16 @@ on: # Make this a reusable workflow, no value needed # https://docs.github.com/en/actions/using-workflows/reusing-workflows +permissions: + contents: read + jobs: unit_test: name: (${{ matrix.os }}.${{ matrix.node }}) strategy: fail-fast: false matrix: - node: ['16', '18', '20', '22'] + node: ['18', '20', '22'] os: ['ubuntu-latest', 'windows-latest'] runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/test-wdio.yml b/.github/workflows/test-wdio.yml index d433f161b95..c17bdb7f16f 100644 --- a/.github/workflows/test-wdio.yml +++ b/.github/workflows/test-wdio.yml @@ -5,6 +5,9 @@ on: # Make this a reusable workflow, no value needed # https://docs.github.com/en/actions/using-workflows/reusing-workflows +permissions: + contents: read + jobs: wdio_test: name: Run WebdriverIO Component Tests (${{ matrix.browser }}) diff --git a/renovate.json5 b/renovate.json5 deleted file mode 100644 index 64beb8158be..00000000000 --- a/renovate.json5 +++ /dev/null @@ -1,172 +0,0 @@ -{ - $schema: 'https://docs.renovatebot.com/renovate-schema.json', - /** - * Documentation: https://docs.renovatebot.com/configuration-options - * - * This configuration file can be locally validated: - * 1. `npm i -g renovate` will install the validator - * 2. `renovate-config-validator` will run the validator - */ - dependencyDashboard: true, - ignoreDeps: [ - // TODO(STENCIL-596): Remove once rollup upgrade is unblocked - 'rollup', - '@rollup/plugin-commonjs', - '@rollup/plugin-node-resolve', - ], - ignorePaths: [ - 'test/package.json', - 'test/browser-compile', - 'test/end-to-end', - 'test/hello-vdom', - 'test/hello-world', - 'test/ionic-app', - 'test/jest-spec-runner', - 'test/performance', - 'test/prerender-shadow', - 'test/style-modes', - 'test/todo-app', - ], - /** - * Apply these labels to every PR - */ - labels: ['dependencies'], - /** - * The minimum age (in days) for updates that have a release timestamp header to be PR'ed. - * This will not batch releases together - if package A gets a release on Monday, Tuesday and Wednesday and has a - * `minimumReleaseAge: 3` and runs every day, then a PR will be created on: - * - Thursday (for Monday's release) - * - Friday (for Tuesday's release) - * - Saturday (for Wednesday's release) - * - * This setting is to prevent a compromised package from being merged into Stencil in the first three days of its - * release date - * - * A value of 3 days was chosen as npm packages younger than 72 hours old can be unpublished. This prevents merging - * support for a package that could be removed from the registry. - */ - minimumReleaseAge: '3 days', - /** - * Note: Renovate will evaluate all packageRules and not stop once it gets a first match. - */ - packageRules: [ - { - matchPackageNames: ['@types/node'], - allowedVersions: '<23.0.0', - }, - { - // Increment this value as a part of updating TypeScript - matchPackageNames: ['typescript'], - allowedVersions: '<5.6.0', - commitMessagePrefix: "feat(typescript):" - }, - { - // disable Jest updates until the new testing architecture is in place - matchPackageNames: ['@types/jest', 'jest', 'jest-cli', 'jest-environment-node'], - groupName: 'Jest', - allowedVersions: '<28.0.0', - }, - { - // TODO(STENCIL-1274): Remove this block - // disable eslint v9 updates until typescript-eslint supports it - matchPackageNames: ['eslint'], - allowedVersions: '<9.0.0', - }, - { - // TODO(STENCIL-1274): Remove this block - // disable Eslint plugin updates until we have updated Eslint to v9 - matchPackageNames: ['@typescript-eslint/eslint-plugin', '@typescript-eslint/parser'], - allowedVersions: '<8.0.0', - }, - { - matchPackagePrefixes: ['@typescript-eslint'], - groupName: 'TypeScript-ESLint', - // these packages can be released often, let's look at them every week - // Note: Timezone for the schedule is specified as UTC - schedule: ["before 11am on monday"] - }, - { - // group these two, as they may rely on one another during major version bumps (see #5191) - matchPackageNames: ['actions/download-artifact', 'actions/upload-artifact'], - groupName: 'Download + Upload Artifacts', - }, - { - matchPackageNames: ['eslint-plugin-jsdoc'], - // this package can be released often, let's look at it every week - // Note: Timezone for the schedule is specified as UTC - schedule: ["before 11am on monday"] - }, - { - "matchFileNames": ["src/testing/jest/jest-27-and-under/package.json"], - matchPackageNames: ['@types/jest', 'jest'], - allowedVersions: '<=27' - }, - { - "matchFileNames": ["src/testing/jest/jest-28/package.json"], - matchPackageNames: ['@types/jest', 'jest'], - allowedVersions: '<=28' - }, - { - "matchFileNames": ["src/testing/jest/jest-29/package.json"], - matchPackageNames: ['@types/jest', 'jest'], - allowedVersions: '<=29' - }, - { - // We intentionally run the WebdriverIO tests against the oldest LTS of Node we support. - // Prevent renovate from trying to bump node - matchFileNames: ['test/wdio/package.json'], - matchDepNames: ['node'], - allowedVersions: '<=16' - }, - { - // We intentionally run the WebdriverIO tests against the oldest LTS of Node we support. - // Prevent renovate from trying to bump node - matchFileNames: ['test/wdio/package.json'], - matchPackageNames: ['@types/node'], - allowedVersions: '<=16' - }, - { - // We intentionally run the WebdriverIO tests against the oldest LTS of Node we support. - // Prevent renovate from trying to bump npm and keep it in sync with a version that's supported by the version of - // Node we run against. - matchFileNames: ['test/wdio/package.json'], - matchDepNames: ['npm'], - allowedVersions: '<=8' - }, - { - matchPackageNames: ['rollup'], - matchPackagePrefixes: ['@rollup'], - groupName: 'rollup,' - }, - { - matchPackageNames: ['expect-webdriverio'], - matchPackagePrefixes: ['@wdio'], - groupName: 'webdriverio,' - }, - // TODO(STENCIL-1088): remove once support for Node v16 is dropped - { - matchPackageNames: ['open'], - allowedVersions: '<10', - }, - // TODO(STENCIL-1141): remove once support for Node v16 is dropped - { - matchPackageNames: ['puppeteer'], - allowedVersions: '<=21', - } - ], - // Never rebase the branch or update it unless manually requested to avoid noisy PR emails - rebaseWhen: 'never', - /** - * Cron syntax to run at midnight (UTC) on the first day of every month - * - * Note: Renovate does not support minute value granularity, so the wildcard value is necessary - */ - schedule: ["* 0 1 * *"], - /** - * Ensure semantic commits are enabled for commits + PR titles. - * - * By default, Angular-style semantic commits will have a type of 'chore' and a scope of 'deps': - * `chore(deps): _your git commit title here_` - */ - semanticCommits: "enabled", -} diff --git a/src/dev-server/request-handler.ts b/src/dev-server/request-handler.ts index dc8704ecb10..243434b3fbe 100644 --- a/src/dev-server/request-handler.ts +++ b/src/dev-server/request-handler.ts @@ -20,6 +20,9 @@ export function createRequestHandler(devServerConfig: d.DevServerConfig, serverC return async function (incomingReq: IncomingMessage, res: ServerResponse) { async function defaultHandler() { try { + /** + * normalize the request path and ensures it's within the root directory of the project + */ const req = normalizeHttpRequest(devServerConfig, incomingReq); if (!req.url) {