Merge branch 'main' into fix-feed-image-variant

saleor · Jan 16, 2025 · 581bbe3 · 581bbe3
2 parents ecdf6d3 + 0db174a
commit 581bbe3
Show file tree

Hide file tree

Showing 46 changed files with 278 additions and 134 deletions.
diff --git a/.changeset/angry-zebras-collect.md b/.changeset/angry-zebras-collect.md
@@ -0,0 +1,11 @@
+---
+"products-feed": patch
+"klaviyo": patch
+"segment": patch
+"app-avatax": patch
+"cms-v2": patch
+"search": patch
+"smtp": patch
+---
+
+Removed regex escape for `ALLOWED_DOMAINS_URL` env variable from register handler. It isn't user input and escaping regex was causing problem with apps installation.
diff --git a/.changeset/chilly-doors-film.md b/.changeset/chilly-doors-film.md
diff --git a/.changeset/empty-ligers-brush.md b/.changeset/empty-ligers-brush.md
diff --git a/.changeset/rotten-seals-suffer.md b/.changeset/rotten-seals-suffer.md
diff --git a/.changeset/silver-mangos-behave.md b/.changeset/silver-mangos-behave.md
diff --git a/.changeset/six-lamps-shop.md b/.changeset/six-lamps-shop.md
diff --git a/.github/workflows/check-licenses.yaml b/.github/workflows/check-licenses.yaml
@@ -0,0 +1,45 @@
+name: Check Licenses
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      # Labels are needed to handle external contributors
+      - labeled
+      - unlabeled
+    paths:
+      # Self
+      - ".github/workflows/check-licenses.yaml"
+      # JS/TS Ecosystem
+      - "**/package.json"
+      - "**/pnpm-lock.yaml"
+      - "**/package-lock.json"
+
+jobs:
+  default:
+    permissions:
+      contents: read
+      pull-requests: write
+    uses: saleor/saleor-internal-actions/.github/workflows/run-license-check.yaml@v1
+    with:
+      # List of ecosystems to scan.
+      ecosystems: >-
+        javascript
+      # Grant rules (https://github.com/anchore/grant/blob/4362dc22cf5ea9baeccfa59b2863879afe0c30d7/README.md#usage)
+      rules: |
+        # Explicitly allow LGPL as "*GPL*" rule will cause to reject them otherwise.
+        - pattern: "*lgpl*"
+          name: "allow-lgpl"
+          mode: "allow"
+          reason: "LGPL is allowed."
+        - pattern: "*gpl*"
+          name: "deny-gpl"
+          mode: "deny"
+          reason: "GPL licenses are not compatible with BSD-3-Clause"
+          exceptions:
+            # store2 is under a dual license (MIT OR GPL-3.0), thus is compatible with our project.
+            # License metadata (for v2.14.2): https://github.com/nbubna/store/blob/20cce53b83b5870b6715fa929e4aa773cfa5e179/package.json#L32
+            - store2
+        - pattern: "*proprietary*"
+          name: "deny-proprietary"
+          mode: "deny"
diff --git a/apps/avatax/CHANGELOG.md b/apps/avatax/CHANGELOG.md
@@ -1,5 +1,22 @@
 # app-avatax
 
+## 1.12.4
+
+### Patch Changes
+
+- 9bbf9ee5: Increased Vercel log limit to new value - 256KB. See [announcement](https://vercel.com/changelog/updated-logging-limits-for-vercel-functions) blog post from Vercel for more details.
+- 9bbf9ee5: Escape ALLOWED_DOMAIN_PATTERN regex. It ensures that regex constructed from env variable is sanitized and can't be used to Denial of Service attack.
+- 9bbf9ee5: Fixed autofixable linting issues. No functional changes.
+- 9bbf9ee5: Add log when suspicious calculation happen - when line tax rate is non-zero but amount of taxes is zero
+- Updated dependencies [9bbf9ee5]
+- Updated dependencies [9bbf9ee5]
+  - @saleor/apps-logger@1.4.3
+  - @saleor/react-hook-form-macaw@0.2.12
+  - @saleor/webhook-utils@0.2.3
+  - @saleor/apps-shared@1.11.4
+  - @saleor/apps-otel@1.3.5
+  - @saleor/apps-ui@1.2.10
+
 ## 1.12.3
 
 ### Patch Changes

diff --git a/apps/avatax/package.json b/apps/avatax/package.json
@@ -1,6 +1,6 @@
 {
   "name": "app-avatax",
-  "version": "1.12.3",
+  "version": "1.12.4",
   "scripts": {
     "build": " next build",
     "check-types": "tsc --noEmit",
@@ -60,7 +60,6 @@
     "decimal.js-light": "2.5.1",
     "dotenv": "16.3.1",
     "dynamodb-toolbox": "1.8.2",
-    "escape-string-regexp": "5.0.0",
     "graphql": "16.7.1",
     "graphql-tag": "2.12.6",
     "jotai": "^2.4.2",

diff --git a/apps/avatax/src/pages/api/register.ts b/apps/avatax/src/pages/api/register.ts
@@ -1,7 +1,6 @@
 import { createAppRegisterHandler } from "@saleor/app-sdk/handlers/next";
 import { wrapWithLoggerContext } from "@saleor/apps-logger/node";
 import { withOtel } from "@saleor/apps-otel";
-import escapeStringRegexp from "escape-string-regexp";
 
 import { env } from "@/env";
 import { createLogger } from "@/logger";
@@ -28,7 +27,8 @@ export default wrapWithLoggerContext(
       allowedSaleorUrls: [
         (url) => {
           if (allowedUrlsPattern) {
-            const regex = new RegExp(escapeStringRegexp(allowedUrlsPattern));
+            // we don't escape the pattern because it's not user input - it's an ENV variable controlled by us
+            const regex = new RegExp(allowedUrlsPattern);
 
             return regex.test(url);
           }

diff --git a/apps/cms-v2/CHANGELOG.md b/apps/cms-v2/CHANGELOG.md
@@ -1,5 +1,21 @@
 # saleor-app-cms-v2
 
+## 2.9.17
+
+### Patch Changes
+
+- 9bbf9ee5: Increased Vercel log limit to new value - 256KB. See [announcement](https://vercel.com/changelog/updated-logging-limits-for-vercel-functions) blog post from Vercel for more details.
+- 9bbf9ee5: Added new `LoggerVercelTransport` support. It will help us send logs to our infrastructure without need of OTEL unstable logs API.
+- 9bbf9ee5: Escape ALLOWED_DOMAIN_PATTERN regex. It ensures that regex constructed from env variable is sanitized and can't be used to Denial of Service attack.
+- 9bbf9ee5: Fixed autofixable linting issues. No functional changes.
+- Updated dependencies [9bbf9ee5]
+- Updated dependencies [9bbf9ee5]
+  - @saleor/apps-logger@1.4.3
+  - @saleor/react-hook-form-macaw@0.2.12
+  - @saleor/apps-shared@1.11.4
+  - @saleor/apps-otel@1.3.5
+  - @saleor/apps-ui@1.2.10
+
 ## 2.9.16
 
 ### Patch Changes

diff --git a/apps/cms-v2/package.json b/apps/cms-v2/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cms-v2",
-  "version": "2.9.16",
+  "version": "2.9.17",
   "scripts": {
     "build": "next build",
     "check-types": "tsc --noEmit",
@@ -49,7 +49,6 @@
     "@vitejs/plugin-react": "4.3.1",
     "contentful-management": "10.46.4",
     "dotenv": "16.3.1",
-    "escape-string-regexp": "5.0.0",
     "graphql": "16.7.1",
     "graphql-tag": "2.12.6",
     "jsdom": "^20.0.3",

diff --git a/apps/cms-v2/src/pages/api/register.ts b/apps/cms-v2/src/pages/api/register.ts
@@ -1,7 +1,6 @@
 import { createAppRegisterHandler } from "@saleor/app-sdk/handlers/next";
 import { wrapWithLoggerContext } from "@saleor/apps-logger/node";
 import { withOtel } from "@saleor/apps-otel";
-import escapeStringRegexp from "escape-string-regexp";
 
 import { saleorApp } from "@/saleor-app";
 
@@ -18,7 +17,8 @@ const handler = createAppRegisterHandler({
   allowedSaleorUrls: [
     (url) => {
       if (allowedUrlsPattern) {
-        const regex = new RegExp(escapeStringRegexp(allowedUrlsPattern));
+        // we don't escape the pattern because it's not user input - it's an ENV variable controlled by us
+        const regex = new RegExp(allowedUrlsPattern);
 
         return regex.test(url);
       }

diff --git a/apps/klaviyo/CHANGELOG.md b/apps/klaviyo/CHANGELOG.md
@@ -1,5 +1,20 @@
 # saleor-app-klaviyo
 
+## 1.12.18
+
+### Patch Changes
+
+- 9bbf9ee5: Increased Vercel log limit to new value - 256KB. See [announcement](https://vercel.com/changelog/updated-logging-limits-for-vercel-functions) blog post from Vercel for more details.
+- 9bbf9ee5: Added new `LoggerVercelTransport` support. It will help us send logs to our infrastructure without need of OTEL unstable logs API.
+- 9bbf9ee5: Escape ALLOWED_DOMAIN_PATTERN regex. It ensures that regex constructed from env variable is sanitized and can't be used to Denial of Service attack.
+- 9bbf9ee5: Fixed autofixable linting issues. No functional changes.
+- Updated dependencies [9bbf9ee5]
+- Updated dependencies [9bbf9ee5]
+  - @saleor/apps-logger@1.4.3
+  - @saleor/apps-shared@1.11.4
+  - @saleor/apps-otel@1.3.5
+  - @saleor/apps-ui@1.2.10
+
 ## 1.12.17
 
 ### Patch Changes

diff --git a/apps/klaviyo/package.json b/apps/klaviyo/package.json
@@ -1,6 +1,6 @@
 {
   "name": "klaviyo",
-  "version": "1.12.17",
+  "version": "1.12.18",
   "scripts": {
     "build": "next build",
     "check-types": "tsc --noEmit",
@@ -37,7 +37,6 @@
     "@sentry/nextjs": "../../node_modules/@sentry/nextjs",
     "@urql/exchange-auth": "2.1.4",
     "dotenv": "16.3.1",
-    "escape-string-regexp": "5.0.0",
     "graphql": "16.7.1",
     "graphql-tag": "2.12.6",
     "next": "14.2.3",

diff --git a/apps/klaviyo/src/pages/api/register.ts b/apps/klaviyo/src/pages/api/register.ts
@@ -1,7 +1,6 @@
 import { createAppRegisterHandler } from "@saleor/app-sdk/handlers/next";
 import { wrapWithLoggerContext } from "@saleor/apps-logger/node";
 import { withOtel } from "@saleor/apps-otel";
-import escapeStringRegexp from "escape-string-regexp";
 
 import { saleorApp } from "../../../saleor-app";
 import { loggerContext } from "../../logger-context";
@@ -17,7 +16,8 @@ const handler = createAppRegisterHandler({
   allowedSaleorUrls: [
     (url) => {
       if (allowedUrlsPattern) {
-        const regex = new RegExp(escapeStringRegexp(allowedUrlsPattern));
+        // we don't escape the pattern because it's not user input - it's an ENV variable controlled by us
+        const regex = new RegExp(allowedUrlsPattern);
 
         return regex.test(url);
       }

diff --git a/apps/products-feed/CHANGELOG.md b/apps/products-feed/CHANGELOG.md
@@ -1,5 +1,22 @@
 # saleor-app-products-feed
 
+## 1.19.17
+
+### Patch Changes
+
+- 9bbf9ee5: Increased Vercel log limit to new value - 256KB. See [announcement](https://vercel.com/changelog/updated-logging-limits-for-vercel-functions) blog post from Vercel for more details.
+- 9bbf9ee5: Added new `LoggerVercelTransport` support. It will help us send logs to our infrastructure without need of OTEL unstable logs API.
+- 9bbf9ee5: Escape ALLOWED_DOMAIN_PATTERN regex. It ensures that regex constructed from env variable is sanitized and can't be used to Denial of Service attack.
+- 9bbf9ee5: Fixed autofixable linting issues. No functional changes.
+- Updated dependencies [9bbf9ee5]
+- Updated dependencies [9bbf9ee5]
+  - @saleor/apps-logger@1.4.3
+  - @saleor/react-hook-form-macaw@0.2.12
+  - @saleor/webhook-utils@0.2.3
+  - @saleor/apps-shared@1.11.4
+  - @saleor/apps-otel@1.3.5
+  - @saleor/apps-ui@1.2.10
+
 ## 1.19.16
 
 ### Patch Changes

diff --git a/apps/products-feed/package.json b/apps/products-feed/package.json
@@ -1,6 +1,6 @@
 {
   "name": "products-feed",
-  "version": "1.19.16",
+  "version": "1.19.17",
   "scripts": {
     "build": "next build",
     "check-types": "tsc --noEmit",
@@ -48,7 +48,6 @@
     "@urql/exchange-auth": "2.1.4",
     "@vitejs/plugin-react": "4.3.1",
     "dotenv": "16.3.1",
-    "escape-string-regexp": "5.0.0",
     "fast-xml-parser": "^4.0.15",
     "graphql": "16.7.1",
     "graphql-tag": "2.12.6",

diff --git a/apps/products-feed/src/pages/api/register.ts b/apps/products-feed/src/pages/api/register.ts
@@ -1,7 +1,6 @@
 import { createAppRegisterHandler } from "@saleor/app-sdk/handlers/next";
 import { wrapWithLoggerContext } from "@saleor/apps-logger/node";
 import { withOtel } from "@saleor/apps-otel";
-import escapeStringRegexp from "escape-string-regexp";
 
 import { loggerContext } from "../../logger-context";
 import { saleorApp } from "../../saleor-app";
@@ -19,7 +18,8 @@ export default wrapWithLoggerContext(
       allowedSaleorUrls: [
         (url) => {
           if (allowedUrlsPattern) {
-            const regex = new RegExp(escapeStringRegexp(allowedUrlsPattern));
+            // we don't escape the pattern because it's not user input - it's an ENV variable controlled by us
+            const regex = new RegExp(allowedUrlsPattern);
 
             return regex.test(url);
           }

diff --git a/apps/search/CHANGELOG.md b/apps/search/CHANGELOG.md
@@ -1,5 +1,22 @@
 # saleor-app-search
 
+## 1.22.19
+
+### Patch Changes
+
+- 9bbf9ee5: Increased Vercel log limit to new value - 256KB. See [announcement](https://vercel.com/changelog/updated-logging-limits-for-vercel-functions) blog post from Vercel for more details.
+- 9bbf9ee5: Added new `LoggerVercelTransport` support. It will help us send logs to our infrastructure without need of OTEL unstable logs API.
+- 9bbf9ee5: Escape ALLOWED_DOMAIN_PATTERN regex. It ensures that regex constructed from env variable is sanitized and can't be used to Denial of Service attack.
+- 9bbf9ee5: Fixed autofixable linting issues. No functional changes.
+- Updated dependencies [9bbf9ee5]
+- Updated dependencies [9bbf9ee5]
+  - @saleor/apps-logger@1.4.3
+  - @saleor/react-hook-form-macaw@0.2.12
+  - @saleor/webhook-utils@0.2.3
+  - @saleor/apps-shared@1.11.4
+  - @saleor/apps-otel@1.3.5
+  - @saleor/apps-ui@1.2.10
+
 ## 1.22.18
 
 ### Patch Changes

diff --git a/apps/search/package.json b/apps/search/package.json
@@ -1,6 +1,6 @@
 {
   "name": "search",
-  "version": "1.22.18",
+  "version": "1.22.19",
   "scripts": {
     "build": "next build",
     "check-types": "tsc --noEmit",
@@ -50,7 +50,6 @@
     "clsx": "^1.2.1",
     "debug": "^4.3.4",
     "dotenv": "16.3.1",
-    "escape-string-regexp": "5.0.0",
     "graphql": "16.7.1",
     "graphql-tag": "2.12.6",
     "next": "14.2.3",

diff --git a/apps/search/src/pages/api/register.ts b/apps/search/src/pages/api/register.ts
@@ -1,7 +1,6 @@
 import { createAppRegisterHandler } from "@saleor/app-sdk/handlers/next";
 import { wrapWithLoggerContext } from "@saleor/apps-logger/node";
 import { withOtel } from "@saleor/apps-otel";
-import escapeStringRegexp from "escape-string-regexp";
 
 import { saleorApp } from "../../../saleor-app";
 import { loggerContext } from "../../lib/logger-context";
@@ -15,7 +14,8 @@ export default wrapWithLoggerContext(
       allowedSaleorUrls: [
         (url) => {
           if (allowedUrlsPattern) {
-            const regex = new RegExp(escapeStringRegexp(allowedUrlsPattern));
+            // we don't escape the pattern because it's not user input - it's an ENV variable controlled by us
+            const regex = new RegExp(allowedUrlsPattern);
 
             return regex.test(url);
           }