chore: merge main#3737
Merged
Merged
Conversation
* chore: remove @oclif/plugin-legacy dependency This removes the @oclif/plugin-legacy plugin which is no longer needed. * fix: add @types/cli-progress to devDependencies This type definition was previously provided transitively through @oclif/plugin-legacy. Now that the legacy plugin is removed, we need to explicitly include it as a devDependency. * remove plugin-legacy from expected core plugins
* refactor: rename lib and script files to kebab-case Rename 24 files from camelCase/snake_case to kebab-case for consistency: - confirmCommand.ts → confirm-command.ts - teamUtils.ts → team-utils.ts - All addons lib files (addons_wait, create_addon, destroy_addon) - All certs lib files (certificate_details, display_table, format_date, get_cert_and_key) - All data lib files (baseCommand, createPool, credentialUtils, displayQuota, parseProvisionOpts, poolConfig) - All container lib files (docker_helper) - All pg lib files (push_pull) - All types lib files (app_errors, app_process_tier) - All utils lib files (keyValueParser, tableUtils) - Script utilities (getHerokuS3Bucket, isStableRelease) Updated 100 files with corrected import paths. No functional changes. * update a few more kebab names * fix: correct sni-endpoint import paths in tests Fixes linting errors by updating import paths to include src/ directory after file rename from sni_endpoint to sni-endpoint
… commands (#3664) * refactor: apply lint formatting to access, accounts, addons, and apps commands Remove extra blank lines between static class properties to match eslint formatting rules. This PR contains only formatting changes - no functional changes. Changes: - Remove blank lines between static properties (args, description, examples, flags, topic) - Normalize spacing in class definitions - 38 files: access (4), accounts (3), addons (13), apps (18) - 94 insertions(+), 187 deletions(-) Part of incremental eslint cleanup before migrating to ESLint 9. * chore: disable indent and lines-between-class-members eslint rules Disables problematic eslint rules that conflict with the applied formatting changes.
) * refactor: apply lint formatting to auth through features commands Applies automated lint formatting to command files in preparation for migration to eslint 9. Changes include import ordering, class property ordering, object property ordering, and whitespace cleanup. Affected command groups: auth, authorizations, autocomplete, buildpacks, certs, ci, clients, config, console, container, dashboard, domains, drains, features. * minor lint adjustment
* refactor: apply lint formatting to git through pg commands Applies automated lint formatting to command files in preparation for migration to eslint 9. Changes include import ordering, class property ordering, object property ordering, and whitespace cleanup. Affected command groups: git, keys, labs, local, logs, maintenance, mcp, members, notifications, orgs, data, pg. * Switch back to if else.
* refactor: apply lint formatting to remaining commands Applies automated lint formatting to remaining command files in preparation for migration to eslint 9. Changes include import ordering, class property ordering, object property ordering, and whitespace cleanup. Affected command groups: pipelines, ps, rake, redis, regions, releases, repl, reviewapps, run, sessions, spaces, status, teams, telemetry, usage, version, webhooks. * test: add minimal tests to increase coverage for spaces commands Add error handling tests for missing required parameters: - spaces:hosts without space name - spaces:peerings:destroy without pcxid - spaces:peerings without space name These tests cover previously untested error handling paths. * test: add comprehensive tests for config quote parse function Adds 7 new test cases for the parse() function to increase code coverage from 35.48% to 100% for src/lib/config/quote.ts. New tests cover: - Double-quoted strings with newlines and escaped characters - Single-quoted strings with backslashes - Empty strings and simple unquoted strings - Error cases for multiple tokens and operator tokens * chore: add --all flag to coverage commands Ensures coverage reports include all source files, not just those that are tested. This provides a more accurate picture of overall code coverage. * test: add unit tests for lib/run dyno and fix colorize tests Adds comprehensive unit tests for the Dyno class: - Constructor default values and option handling - _useSSH protocol detection (http/https vs other protocols) - _env environment variable building and TERM handling - _isDebug HEROKU_DEBUG environment variable checking - _status dyno status formatting with name and size - _readData exit code parsing and output handling Also updates colorize.unit.test.ts: - Uncomments existing tests that were previously disabled - Updates color code constants to match current 256-color ANSI codes - All 7 colorize test cases now pass These changes improve coverage for src/lib/run which previously had 38.68% coverage and dyno.ts which had no dedicated test file.
* fix: remove extra semicolons and apply additional lint fixes in lib files Removes extra semicolons that were flagged as errors by the linter and applies other lint-related formatting fixes to maintain consistency across the codebase. * fix ps exec test * fix: return undefined instead of null in _useSSH getter The _useSSH getter should return undefined when uri is not set, not null. This aligns with TypeScript conventions where optional properties default to undefined, and fixes a failing test.
* refactor: rename script files to kebab-case convention Renames files from underscore to hyphen naming: - scripts/postrelease/install_scripts.js → install-scripts.js - scripts/utils/_version.js → version.js This aligns with the project's file naming standards. * refactor: apply lint formatting to scripts and hooks folders Applies ESLint formatting fixes to scripts and hooks folders: - Reorder imports to follow style guide (node: prefixed imports first, then external, then internal) - Use node: prefix for Node.js built-in modules (node:path, node:child_process, etc.) - Change from `import * as` to default imports where appropriate - Add proper error handling with try-catch blocks in postrelease scripts - Remove unnecessary semicolons and apply consistent formatting This brings the scripts and hooks folders in line with the shared ESLint configuration.
…ion tests (#3671) - Apply ESLint formatting fixes to test helper files - Add new helper utilities: legacy-run-command, run-cli-subprocess, test-instances, ux-stub - Rename and format test helper utilities (normalize-table-output) - Update test fixtures with formatting improvements - Format acceptance and integration tests
* chore: migrate to shared eslint config and fix test failures - Migrate from local .eslintrc.cjs to @heroku-cli/test-utils/eslint-config - Fix test failures caused by ESLint auto-formatting: - apps:favorites:add: update error test to use proper 404 response - spaces:ps: fix JSON date serialization in test expectation - HerokuExec: add basic auth to nock mocks for updateClientKey tests - Update hook tests to modern style (remove old test chain syntax): - terms-of-service: use sinon stubs and standard Mocha tests - version: add comprehensive test coverage with proper mocking - Rename files to kebab-case per linting rules * fix: apply linting fixes and resolve test failures - Apply ESLint auto-fixes across codebase (object sorting, ternary operators, etc) - Rename snake_case files to kebab-case per linting rules - Fix test failures caused by linting changes: - autocomplete: Fix plugins iteration (Map vs Array) - pg:kill: Reorder args (required pid before optional database) - accounts: Fix YAML property order (username before password) - apps:favorites:add: Update test to use proper 404 response - spaces:ps: Fix JSON date serialization in test - Add eslint-disable comments for intentional sort order exceptions Note: HerokuExec updateClientKey tests still failing, needs investigation * fix: resolve additional linting errors - Add n/no-unpublished-bin: off to eslint config (false positives) - Rename snake_case cert files to kebab-case: - certificate_details.ts → certificate-details.ts - format_date.ts → format-date.ts - get_cert_and_key.ts → get-cert-and-key.ts - Fix various linting issues across codebase Remaining: ~60 linting errors to be addressed - 21 @stylistic/lines-between-class-members - 9 perfectionist/sort-imports - 8 unicorn/filename-case - 6 no-undef (RequestInfo, BufferEncoding types) - Others (no-fallthrough, array-callback-return, etc.) * refactor: migrate test helpers to @heroku-cli/test-utils - Rename test/helpers/runCommand.ts to legacy-run-command.ts for old-style tests - Replace local run-command.ts with shared implementation from @heroku-cli/test-utils - Update 226+ test files to import runCommand from @heroku-cli/test-utils - Rename helper files to kebab-case: testInstances.ts -> test-instances.ts, uxStub.ts -> ux-stub.ts - Consolidate test utilities to use shared @heroku-cli/test-utils package This reduces code duplication and ensures all tests use the same command runner implementation. * refactor: migrate expectOutput to @heroku-cli/test-utils - Replace local test/helpers/utils/expectOutput.ts with shared implementation - Update 57 test files to import expectOutput from @heroku-cli/test-utils - Use named import syntax for consistency with other test-utils exports This continues the consolidation of test utilities into the shared package. * turn off camelcase lint warnings * refactor: remove unused eslint dependencies and fix exec URL path Remove eslint plugins that are now handled by shared config. Also fix URL construction in exec.ts to avoid duplicate slashes in the API path. * fix: add explicit eslint-import-resolver-typescript dependency The shared eslint config requires eslint-import-resolver-typescript v4.x for ESLint 9 flat config compatibility. Without it explicitly installed, npm resolves to v3.x from eslint-config-oclif, which has an incompatible interface and causes "invalid interface loaded as resolver" errors. * ci: build before linting to ensure dist folder exists The bin/run.js file imports from the dist folder, which needs to exist before linting can resolve those imports. Running build before lint ensures the TypeScript compiler generates the dist folder first. * remove conflict resolution marker * fix: resolve ESLint getter-return conflict in _useSSH Use ternary expression with explicit return to satisfy getter-return rule while avoiding no-useless-return. Added explicit return type annotation for clarity. * chore: add semi rule and apply linting fixes - Add semi: ['warn', 'never'] to eslint config for no semicolons preference - Fix unicorn/prefer-ternary warning in members/add.ts - Remove unnecessary no-var from eslint-disable comment - Use String.raw for better backslash escaping in tests - Reorder imports and alphabetize mock properties * test: refactor error handling to use runCommand error property Replace try-catch blocks with error property destructuring from runCommand across 88 test cases in 23 test files. This simplifies error handling by using the error returned directly from runCommand instead of relying on catch blocks. * test: fix error handling assertions in failing tests Fix 6 test files where error handling was incorrectly using expect.fail, try-catch blocks, or expect().to.be.rejected instead of properly checking the error property returned by runCommand. This resolves 9 test failures. * test: fix TypeScript error in apps/join test Import HTTPError type and cast error to access body property, resolving TypeScript compilation error. * test: replace stdout-stderr with captureOutput and remove dependency Replace stdout-stderr package with captureOutput from @heroku-cli/test-utils for cleaner and more consistent test output handling. Converted 7 test files and removed the stdout-stderr dependency from package.json. Files converted: - lib/confirm-command.unit.test.ts - lib/spaces/peering.unit.test.ts - lib/spaces/spaces.unit.test.ts - lib/run/log-displayer.unit.test.ts - lib/spaces/hosts.unit.test.ts - lib/data/display-quota.unit.test.ts - lib/spaces/vpn-connections.unit.test.ts * fix: remove captureOutput from tests that expect errors The log-displayer tests that expect errors were wrapping displayer.display() in captureOutput, which was causing the tests to hang. Since these tests are only checking error messages and not stdout/stderr output, we can remove the captureOutput wrapper and catch the errors directly in try-catch blocks. * fix: clean up setTimeout timers in MockEventSource to prevent test hangs The MockEventSource was creating setTimeout calls that weren't being cleaned up. These orphaned timers kept the Node.js event loop alive, causing the test suite to hang with a 30+ second timeout. Now we track all timeout IDs and clear them in the close() method to ensure proper cleanup. * fix: restore stdMocks after use to prevent test suite from hanging The container/release test was calling stdMocks.use() to hijack stdout/stderr but never calling stdMocks.restore(). This left stdout/stderr in a broken state, causing the test runner to malfunction and exit after the release tests completed, preventing subsequent test files from running. Added stdMocks.flush() and stdMocks.restore() calls to properly clean up after capturing output. * fix: remove std-mocks dependency and usage The container/release test was using stdMocks.use() to capture stdout/stderr, but then checking the output from runCommand() which already captures output. This was redundant and the missing stdMocks.restore() was breaking the test runner by leaving stdout/stderr hijacked, causing the test suite to exit early. Removed: - stdMocks usage from container/release test since runCommand() handles capture - std-mocks dependency from package.json (no longer used anywhere) * fix linting * fix: remove captureOutput from error-expecting tests in confirm-command The tests that expect errors to be thrown shouldn't use captureOutput because captureOutput doesn't return an error property. When an error is thrown inside captureOutput, it gets swallowed and the test fails with the expect.fail() message instead of properly catching the error. Removed captureOutput wrapper from the two tests that expect errors, since we don't need to capture stdout/stderr when we're just checking that an error is thrown. * fix: resolve linting warnings across test files Fixed various linting warnings including: - Adding explicit type imports (e.g., SinonStub) - Addressing other ESLint warnings - Cleaning up test file patterns Updated 65 test files across commands, lib, and unit test directories. * fix: resolve additional sinon-related linting warnings Fixed linting warnings related to sinon usage across test files: - Added explicit type imports for sinon types - Cleaned up sinon stub and spy patterns - Fixed other sinon-related ESLint warnings Updated 17 test files. * fix: resolve another batch of sinon-related linting warnings Fixed additional linting warnings related to sinon usage: - Added explicit type imports for sinon types - Cleaned up sinon stub, spy, and sandbox patterns - Fixed sinon-related ESLint warnings Updated 19 test files across commands, hooks, and lib directories. * add --all to coverage report, convert more sinon imports
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.5.4 to 7.5.5. - [Release notes](https://github.com/protobufjs/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md) - [Commits](protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5) --- updated-dependencies: - dependency-name: protobufjs dependency-version: 7.5.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [basic-ftp](https://github.com/patrickjuchli/basic-ftp) from 5.2.0 to 5.3.0. - [Release notes](https://github.com/patrickjuchli/basic-ftp/releases) - [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md) - [Commits](patrickjuchli/basic-ftp@v5.2.0...v5.3.0) --- updated-dependencies: - dependency-name: basic-ftp dependency-version: 5.3.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0) --- updated-dependencies: - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [hono](https://github.com/honojs/hono) from 4.12.7 to 4.12.14. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.7...v4.12.14) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.14 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@hono/node-server](https://github.com/honojs/node-server) from 1.19.11 to 1.19.13. - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.11...v1.19.13) --- updated-dependencies: - dependency-name: "@hono/node-server" dependency-version: 1.19.13 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…3655) * Updates to 'data:pg:attachments:create' * Multi-factor attachments parser implementation: - new backward-compatible lib function 'parseAttachmentFactors' - unit tests for the parser function * Updates to 'data:pg:attachments:create': - improvements on the interactive experience - fixed all tests with the new behavior * Removing 'credential' flag from 'data:pg:psql' to support MFA * Updates to support MFA on other 'data:pg' topic commands * Lint fixes
* docs: add AGENTS.md with CLI design patterns for AI agents Add comprehensive guidelines for AI agents working on the CLI codebase. This file documents CLI design patterns from RFC 000282, including: - Command naming conventions (lowercase-hyphenated, action verbs) - Arguments and flags best practices (prefer flags over args) - Language and help text guidelines - Output and exit code handling - Data handling patterns (thin validation, concurrent API calls) - UX component usage (ux.action, ux.table, confirmCommand, etc.) This helps ensure AI coding assistants like Claude, Copilot, and Cursor follow consistent patterns when contributing to the codebase. * docs: enhance AGENTS.md UX Components section with source attribution Add component source documentation clarifying that basic UX components (stdout, stderr, action.start/stop) come from oclif/core, while more involved components (table, color system) come from heroku-cli-util. Update component references to use correct prefixes (hux.table, hux.confirm, etc.) and add link to heroku-cli-util color system documentation.
* refactor: migrate from qqjs to execa with custom wrapper
Replaces qqjs dependency with execa v9 and introduces a lightweight
exec.ts wrapper that preserves qqjs behavior (stdio inheritance,
command logging, error handling).
Changes:
- Created scripts/utils/exec.ts wrapper with x(), shell(), stdout(), and run() helpers
- Migrated all qqjs usage to exec.ts (install-scripts.js, version.js, smoke tests)
- Fixed execa v8→v9 breaking changes in homebrew.js and plugin tests
- Updated import syntax: import execa from 'execa' → import {execa} from 'execa'
- Replaced execa.command() with shell() helper (removed in v9)
- Updated stdio array syntax to named properties
- Removed qqjs dependency (63 packages removed)
The exec.ts wrapper provides a consistent API across all scripts:
- x(cmd, args, opts): Execute with args array (stdio: 'inherit' default)
- shell(cmd, opts): Execute shell commands (strings with pipes, etc.)
- stdout(cmd, args, opts): Capture stdout as string (trims trailing newline)
- run(fn): Async error handler (logs errors, sets process.exitCode)
- config.silent: Toggle command logging
All existing functionality preserved, no behavior changes.
* chore: reorder properties in exec.ts for consistency
* refactor: simplify and rename exec.ts to script-exec.ts
Simplifications:
- Removed unused config.silent feature (only ever set to false)
- Inlined console.log calls (removed log() helper)
- Removed intermediate defaultOptions variables
- Reduced from 75 lines to 60 lines (20% reduction)
Renamed exec.ts → script-exec.ts to clarify purpose:
- script-exec.ts provides wrappers for shell scripts (stdio: 'inherit')
- Tests that need to capture output use execa directly
Changes:
- scripts/utils/exec.ts → scripts/utils/script-exec.ts
- Updated all imports across 5 files
- smoke.acceptance.test.ts: uses execa directly (needs output capture)
- plugin.acceptance.test.ts: uses script-exec.ts (no capture needed)
- Fixed TypeScript syntax in install-scripts.js (removed 'as const')
All tests pass with proper type checking.
* refactor: convert script-exec to plain JavaScript
Converted script-exec from TypeScript to plain JavaScript to eliminate
the build step dependency. Scripts can now run directly without requiring
'npm run build' first, which is more reliable for CI/CD pipelines.
Changes:
- src/lib/scripts/script-exec.ts → scripts/utils/script-exec.js
- Removed all TypeScript type annotations
- Reverted all imports back to ../utils/script-exec.js paths
- No build step required
Benefits:
- Scripts work immediately without compilation
- Simpler CI/CD - no build step before running scripts
- Fewer failure points in release automation
- 60 lines of clean, dependency-minimal JavaScript
Validation:
- All scripts pass syntax check
- install-scripts.js executes correctly
- version.js executes and returns version
- All tests type check correctly
* fix linting
* fix: prevent unhandled promise rejection in apps:destroy Fixes unhandled promise rejection when removing git remotes after app destruction. The command successfully deleted the app but crashed during git remote cleanup. Two bugs fixed: 1. Promise.all nested array issue - .map() returns Array<Promise>, not a single Promise - Promise.all([array, array]) doesn't await inner promises - Resulted in fire-and-forget promises with unhandled rejections 2. Duplicate remote removal - listRemotes() groups by URL, same remote name appears twice - Once for (fetch) and once for (push) - Second rmRemote() call failed: "No such remote" Solution: - Flatten promise arrays by collecting remote names first - Deduplicate names using Set (removes fetch/push duplicates) - Then create promises and await them properly Closes #3677 * test: add comprehensive tests for git remote deduplication (issue #3677) Expanded GitService class to include all git operations needed for testing, allowing easy stubbing of git methods in unit tests. Added two new tests: - Verifies deduplication works with single remote (fetch + push) - Verifies deduplication works with multiple remotes Fixes #3677 * fix linting
Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.8.12 to 0.8.13. - [Release notes](https://github.com/xmldom/xmldom/releases) - [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md) - [Commits](xmldom/xmldom@0.8.12...0.8.13) --- updated-dependencies: - dependency-name: "@xmldom/xmldom" dependency-version: 0.8.13 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…3690) updates @heroku-cli/command and adds new prompter test
Bumps [basic-ftp](https://github.com/patrickjuchli/basic-ftp) from 5.3.0 to 5.3.1. - [Release notes](https://github.com/patrickjuchli/basic-ftp/releases) - [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md) - [Commits](patrickjuchli/basic-ftp@v5.3.0...v5.3.1) --- updated-dependencies: - dependency-name: basic-ftp dependency-version: 5.3.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) and [@aws-sdk/xml-builder](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/packages-internal/xml-builder). These dependencies needed to be updated together. Updates `fast-xml-parser` from 5.5.8 to 5.7.2 - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v5.5.8...v5.7.2) Updates `@aws-sdk/xml-builder` from 3.972.16 to 3.972.22 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/packages-internal/xml-builder/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/HEAD/packages-internal/xml-builder) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.7.2 dependency-type: indirect - dependency-name: "@aws-sdk/xml-builder" dependency-version: 3.972.22 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Timothy Lowrimore <154477569+tlowrimore-heroku@users.noreply.github.com>
Bumps [hono](https://github.com/honojs/hono) from 4.12.14 to 4.12.18. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.14...v4.12.18) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.18 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Timothy Lowrimore <154477569+tlowrimore-heroku@users.noreply.github.com>
…sion advisories (#3694) deps: bump @oclif/plugin-plugins to ^5.4.64 Pulls in npm@11.x via @oclif/plugin-plugins, which transitively upgrades the bundled minimatch and node-gyp/tinyglobby chain so brace-expansion resolves to 5.0.5 and picomatch resolves to 4.0.4. - Resolves picomatch ReDoS via extglob (GHSA-c2c7-rcm5-vvqj, HIGH) - Resolves picomatch POSIX-class injection (GHSA-3v7f-55p6-f55p) - Resolves brace-expansion zero-step DoS (GHSA-f886-m6hf-6m8v) Closes Dependabot alerts: #271, #272, #279
) deps: add socks and express-rate-limit overrides for ip-address Adds scoped npm overrides pinning the intermediate parents of ip-address — socks ^2.8.8 and express-rate-limit ^8.5.1 — both of which depend on patched ip-address (^10.1.1 / ^10.2.0). Pinning the parents (rather than ip-address directly) leaves @heroku/socksv5@0.0.9 on its existing ip-address@5.x; socksv5 calls the v5 API (addr.valid, addr.parsedAddress) and is not back-compatible with ip-address v10. The advisory's vulnerable surfaces (Address6.group/.link/spanAll/ parseMessage) are HTML-emitting methods. The Heroku CLI has no DOM/HTML sink, and socksv5 only consumes parsedAddress, so the remaining ip-address@5.9.4 install has no exploit path. - Resolves ip-address XSS in Address6 HTML methods (GHSA-v2v4-37r5-5v8g, MEDIUM) Closes Dependabot alerts: #309
Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.1.0 to 3.1.2. - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) --- updated-dependencies: - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.5.5 to 7.5.8. - [Release notes](https://github.com/protobufjs/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.5.8/CHANGELOG.md) - [Commits](protobufjs/protobuf.js@protobufjs-v7.5.5...protobufjs-v7.5.8) --- updated-dependencies: - dependency-name: protobufjs dependency-version: 7.5.8 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Switch container registry host resolution across container commands to use validated vars.host * Add coverage for container:release to ensure an invalid HEROKU_HOST is rejected and the command falls back to registry.heroku.com * Refactor the new invalid-HEROKU_HOST login/logout test coverage to use scoped setup/teardown contexts * Add regression tests for container:pull, container:push, and container:run to verify invalid HEROKU_HOST values are rejected and each command falls back to registry.heroku.com for image operations
…with 8 updates (#3700) Bumps the dev-patch-minor-dependencies group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `3.0.0` | `3.0.1` | | [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) | `8.58.1` | `8.59.2` | | [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) | `8.58.1` | `8.59.2` | | [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) | `12.7.1` | `12.7.3` | | [eslint-config-oclif](https://github.com/oclif/eslint-config-oclif) | `6.0.157` | `6.0.164` | | [nock](https://github.com/nock/nock) | `14.0.12` | `14.0.15` | | [oclif](https://github.com/oclif/oclif) | `4.22.96` | `4.23.0` | | [typescript](https://github.com/microsoft/TypeScript) | `5.8.3` | `5.9.3` | Updates `@actions/core` from 3.0.0 to 3.0.1 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) Updates `@typescript-eslint/eslint-plugin` from 8.58.1 to 8.59.2 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.2/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 8.58.1 to 8.59.2 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.2/packages/parser) Updates `commit-and-tag-version` from 12.7.1 to 12.7.3 - [Release notes](https://github.com/absolute-version/commit-and-tag-version/releases) - [Changelog](https://github.com/absolute-version/commit-and-tag-version/blob/master/CHANGELOG.md) - [Commits](absolute-version/commit-and-tag-version@v12.7.1...v12.7.3) Updates `eslint-config-oclif` from 6.0.157 to 6.0.164 - [Release notes](https://github.com/oclif/eslint-config-oclif/releases) - [Changelog](https://github.com/oclif/eslint-config-oclif/blob/main/CHANGELOG.md) - [Commits](oclif/eslint-config-oclif@6.0.157...6.0.164) Updates `nock` from 14.0.12 to 14.0.15 - [Release notes](https://github.com/nock/nock/releases) - [Changelog](https://github.com/nock/nock/blob/main/CHANGELOG.md) - [Commits](nock/nock@v14.0.12...v14.0.15) Updates `oclif` from 4.22.96 to 4.23.0 - [Release notes](https://github.com/oclif/oclif/releases) - [Changelog](https://github.com/oclif/oclif/blob/main/CHANGELOG.md) - [Commits](oclif/oclif@4.22.96...4.23.0) Updates `typescript` from 5.8.3 to 5.9.3 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v5.8.3...v5.9.3) --- updated-dependencies: - dependency-name: "@actions/core" dependency-version: 3.0.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-minor-dependencies - dependency-name: "@typescript-eslint/eslint-plugin" dependency-version: 8.59.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-patch-minor-dependencies - dependency-name: "@typescript-eslint/parser" dependency-version: 8.59.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-patch-minor-dependencies - dependency-name: commit-and-tag-version dependency-version: 12.7.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-minor-dependencies - dependency-name: eslint-config-oclif dependency-version: 6.0.164 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-minor-dependencies - dependency-name: nock dependency-version: 14.0.15 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-minor-dependencies - dependency-name: oclif dependency-version: 4.23.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-patch-minor-dependencies - dependency-name: typescript dependency-version: 5.9.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-patch-minor-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Michael Malave <michael.malave@salesforce.com>
* Fix inquirer import issue * Refactoring to move shared logic for enabling reuse * Bringing in missing PoolConfig tests from plugin and adding new tests * 'data:pg:migrate' command implementation with tests * Addressing product feedback: - Disabling create target database option (backend isn't ready). - Adding validation that target database is available. - Linting fixes. * Re-enabling config option for non-active migration source/destination dbs * Re-activating target creation on-the-fly logic * Remove .only from tests * Apply suggestions from code review Applying CX review feedback. Co-authored-by: Helen Cheng <48834224+heicheng18@users.noreply.github.com> Signed-off-by: Santiago Bosio <santiago.bosio@gmail.com> * Updating tests to match updated strings on CX feedback --------- Signed-off-by: Santiago Bosio <santiago.bosio@gmail.com> Co-authored-by: Helen Cheng <48834224+heicheng18@users.noreply.github.com>
Migrate the remaining release scripts (scripts/upload/deb and scripts/release/win) from qqjs to the shared script-exec (run/x/shell) helpers so release packaging no longer depends on the removed qqjs package
Inherit secrets for the publish-to-fig-autocomplete reusable workflow in create-cli-release so the post-release job has required secret access
remove unused workflow file
fix: add missing warning to 'data:pg:migrate'
…3724) Both Claude Code and GitHub Copilot Code Review look for tool-specific instruction files (CLAUDE.md and .github/copilot-instructions.md respectively). Point both at the canonical AGENTS.md so we don't have to maintain duplicate guidelines per tool.
…#3721) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
fix: 'run:inside' args ordering
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Merges the latest changes from
maininto the feat/credential-mgr-integration feature branch. Also includes some test fixes required for usingrunCommandfrom heroku-test-utils.Type of Change
Breaking Changes (major semver update)
!after your change type to denote a change that breaks current behaviorFeature Additions (minor semver update)
Patch Updates (patch semver update)
Testing
Notes:
Steps:
Screenshots (if applicable)
Related Issues
GUS work item: W-21686289