From 30e733ef1bd27f229c17b807143ac9590040ffca Mon Sep 17 00:00:00 2001 From: kirilinsky Date: Mon, 18 May 2026 20:42:16 +0200 Subject: [PATCH 1/2] feat: update ci actions, security --- .github/workflows/chromatic.yml | 3 +++ .github/workflows/ci.yml | 4 ++++ .github/workflows/codeql.yml | 3 +++ .github/workflows/osv-scanner.yml | 6 ++++-- .github/workflows/release.yml | 8 +++++--- .github/workflows/scorecard.yml | 4 +++- .github/workflows/size.yml | 3 +++ .github/workflows/storybook.yml | 5 +++-- LICENSE | 15 ++++++++++++++- SECURITY.md | 8 +++++--- package-lock.json | 10 +++++----- 11 files changed, 52 insertions(+), 17 deletions(-) diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml index 68726bc..d3847c4 100644 --- a/.github/workflows/chromatic.yml +++ b/.github/workflows/chromatic.yml @@ -18,6 +18,9 @@ on: - "package-lock.json" workflow_dispatch: +permissions: + contents: read + # Cancel in-progress runs when new commits land on the same ref, so a # rapid sequence of pushes doesn't queue multiple snapshot uploads. concurrency: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 383b136..08e5c12 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,8 +5,12 @@ on: push: branches: [main] +permissions: + contents: read + jobs: test: + if: github.head_ref != 'changeset-release/main' runs-on: ubuntu-latest strategy: fail-fast: false diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e717d5a..f59d237 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,6 +8,9 @@ on: schedule: - cron: "0 6 * * 1" +permissions: + contents: read + jobs: analyze: name: Analyze (${{ matrix.language }}) diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 141825c..4cbb625 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -9,12 +9,14 @@ on: - cron: "0 6 * * 1" permissions: - actions: read contents: read - security-events: write jobs: scan: + permissions: + actions: read + contents: read + security-events: write uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de # v2.0.2 with: scan-args: |- diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d1ee028..27e9750 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,12 +8,14 @@ concurrency: group: release-${{ github.ref }} permissions: - contents: write - pull-requests: write - id-token: write + contents: read jobs: release: + permissions: + contents: write + pull-requests: write + id-token: write runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 88ae684..f40dfc1 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -7,7 +7,9 @@ on: push: branches: [main] -permissions: read-all +permissions: + actions: read + contents: read jobs: analysis: diff --git a/.github/workflows/size.yml b/.github/workflows/size.yml index 80369b2..8bae125 100644 --- a/.github/workflows/size.yml +++ b/.github/workflows/size.yml @@ -4,6 +4,9 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: size: if: github.head_ref != 'changeset-release/main' diff --git a/.github/workflows/storybook.yml b/.github/workflows/storybook.yml index b5d47e2..77e460e 100644 --- a/.github/workflows/storybook.yml +++ b/.github/workflows/storybook.yml @@ -7,8 +7,6 @@ on: permissions: contents: read - pages: write - id-token: write concurrency: group: pages @@ -34,6 +32,9 @@ jobs: deploy: needs: build runs-on: ubuntu-latest + permissions: + pages: write + id-token: write environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} diff --git a/LICENSE b/LICENSE index fc21315..1f56784 100644 --- a/LICENSE +++ b/LICENSE @@ -2,4 +2,17 @@ MIT License Copyright (c) 2026 kirilinsky -Permission is hereby granted, free of charge, to any person obtaining a copy of this software. \ No newline at end of file +Permission is hereby granted, free of charge, to any person obtaining a copy of this software +and associated documentation files (the "Software"), to deal in the Software without restriction, +including without limitation the rights to use, copy, modify, merge, publish, distribute, +sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or +substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT +NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/SECURITY.md b/SECURITY.md index 710704b..2968ff9 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -13,7 +13,9 @@ Security updates are provided for the latest stable release only. If you discover a security vulnerability, please do not open a public issue. -Please report it privately using GitHub's **Report a vulnerability** feature, if available. +Please report it privately using GitHub's **Report a vulnerability** flow: + +https://github.com/kirilinsky/dateforge-react-calendar/security/advisories/new Include: @@ -22,8 +24,8 @@ Include: - Affected version - Possible impact -I will try to acknowledge valid reports ASAP. +I will try to acknowledge valid reports within 7 days. -If the vulnerability is confirmed, I will work on a fix and publish a security update as soon as reasonably possible. +If the vulnerability is confirmed, I will work on a fix and publish a security update as soon as reasonably possible. I aim to coordinate public disclosure within 90 days, or sooner if a fix is available and users have had reasonable time to upgrade. Please allow reasonable time for investigation and fixing before public disclosure. diff --git a/package-lock.json b/package-lock.json index d198f36..e0ee06a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@dateforge/react-calendar", - "version": "1.5.0", + "version": "1.5.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@dateforge/react-calendar", - "version": "1.5.0", + "version": "1.5.1", "license": "MIT", "devDependencies": { "@arethetypeswrong/cli": "0.18.2", @@ -4588,9 +4588,9 @@ } }, "node_modules/brace-expansion": { - "version": "5.0.5", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz", - "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==", + "version": "5.0.6", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz", + "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==", "dev": true, "license": "MIT", "dependencies": { From 1dd191b40e11889ebbccff21a4843b4f928343a7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 May 2026 17:00:34 +0000 Subject: [PATCH 2/2] chore(deps): bump github/codeql-action from 4.35.3 to 4.35.5 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.3 to 4.35.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/e46ed2cbd01164d986452f91f178727624ae40d7...9e0d7b8d25671d64c341c19c0152d693099fb5ba) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f59d237..6591a3d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -28,11 +28,11 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4 + - uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 with: languages: ${{ matrix.language }} queries: security-extended - - uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4 + - uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f40dfc1..1ae9b06 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -37,6 +37,6 @@ jobs: path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4 + - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 with: sarif_file: results.sarif