fix: updated all deps (#109)

* fix: updated all deps

* fix: updated node version in the readme and lock

* chore: lock update

* fix: fixed pnpm audit

* ci: update semantic check

* ci: moved audit to audit-ci

.github/renovate.json5

@@ -1,49 +1,3 @@
 {
-    $schema: "https://docs.renovatebot.com/renovate-schema.json",
-    extends: ["config:base", "schedule:earlyMondays", "group:allNonMajor", ":prHourlyLimitNone", "helpers:pinGitHubActionDigests"],
-    labels: ["c: dependencies"],
-    reviewersFromCodeOwners: true,
-    rangeStrategy: "bump",
-    packageRules: [
-        {
-            groupName: "devDependencies",
-            matchDepTypes: ["devDependencies"],
-            rangeStrategy: "bump",
-        },
-        {
-            groupName: "dependencies",
-            matchDepTypes: ["dependencies"],
-            rangeStrategy: "replace",
-        },
-        {
-            groupName: "peerDependencies",
-            matchDepTypes: ["peerDependencies"],
-            rangeStrategy: "widen",
-        },
-        {
-            groupName: "engines",
-            matchDepTypes: ["engines"],
-            rangeStrategy: "replace",
-        },
-        {
-            groupName: "typescript-eslint",
-            matchPackagePrefixes: ["@typescript-eslint/"],
-        },
-        {
-            groupName: "vitest",
-            matchPackageNames: ["@vitest/coverage-c8", "@vitest/ui", "vitest"],
-        },
-        {
-            groupName: "prettier",
-            matchPackageNames: ["@types/prettier", "prettier"],
-        },
-        {
-            groupName: "typescript",
-            matchPackageNames: ["typescript"],
-        },
-    ],
-    vulnerabilityAlerts: {
-        labels: ["c: security"],
-        assignees: ["team:maintainers"],
-    },
+    extends: ["github>anolilab/renovate-config"],
 }

.github/workflows/lint.yml

@@ -76,7 +76,7 @@ jobs:
               run: "pnpm install --frozen-lockfile"
 
             - name: "Verify the integrity of provenance attestations and registry signatures for installed dependencies"
-              run: "pnpm audit signatures"
+              run: "pnpm dlx audit-ci@^6 --config ./audit-ci.jsonc --report-type=summary"
 
             - name: "lint"
               run: "pnpm run lint:eslint"
@@ -145,7 +145,7 @@ jobs:
                   SKIP_CHECK: "true"
 
             - name: "Verify the integrity of provenance attestations and registry signatures for installed dependencies"
-              run: "pnpm audit signatures"
+              run: "pnpm dlx audit-ci@^6 --config ./audit-ci.jsonc --report-type=summary"
 
             - name: "lint"
               run: "pnpm run lint:text"

.github/workflows/require-allow-edits.yml

@@ -0,0 +1,18 @@
+name: "Require 'Allow Edits'"
+
+on: ["pull_request_target"] # yamllint disable-line rule:truthy
+
+permissions:
+    contents: "read"
+
+jobs:
+    check_allow_edits:
+        permissions:
+            pull-requests: "read" # for ljharb/require-allow-edits to check 'allow edits' on PR
+
+        name: "Require “Allow Edits”"
+
+        runs-on: "ubuntu-latest"
+
+        steps:
+            - uses: "ljharb/require-allow-edits@main"

.github/workflows/semantic-pull-request.yml

@@ -0,0 +1,73 @@
+# https://help.github.com/en/categories/automating-your-workflow-with-github-actions
+
+name: "Semantic Pull Request"
+
+on: # yamllint disable-line rule:truthy
+    pull_request_target:
+        types:
+            - "opened"
+            - "reopened"
+            - "edited"
+            - "synchronize"
+
+permissions: {}
+
+jobs:
+    main:
+        permissions:
+            pull-requests: "write" # to analyze PRs (amannn/action-semantic-pull-request)
+            statuses: "write" # to mark status of analyzed PR (amannn/action-semantic-pull-request)
+        runs-on: "ubuntu-latest"
+        name: "Semantic Pull Request"
+        steps:
+            - name: "Harden Runner"
+              uses: "step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895" # v2.6.1
+              with:
+                  egress-policy: "audit"
+
+            - name: "Validate PR title"
+              id: "lint_pr_title"
+              uses: "amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f" # v5.4.0
+              env:
+                  GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+              with:
+                  types: |
+                      build
+                      chore
+                      ci
+                      deps
+                      docs
+                      feat
+                      fix
+                      perf
+                      refactor
+                      revert
+                      security
+                      style
+                      test
+                      translation
+
+            - uses: "marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd" # v2.8.0
+              # When the previous steps fails, the workflow would stop. By adding this
+              # condition you can continue the execution with the populated error message.
+              if: "always() && (steps.lint_pr_title.outputs.error_message != null)"
+              with:
+                  header: "pr-title-lint-error"
+                  message: |
+                      Hey there and thank you for opening this pull request! 👋🏼
+
+                      We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.
+
+                      Details:
+
+                      ```
+                      ${{ steps.lint_pr_title.outputs.error_message }}
+                      ```
+
+              # Delete a previous comment when the issue has been resolved
+            - if: "${{ steps.lint_pr_title.outputs.error_message == null }}"
+              uses: "marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd" # v2.8.0
+              with:
+                  header: "pr-title-lint-error"
+                  message: |
+                      Thank you for following the naming conventions! 🙏

.github/workflows/test.yml

@@ -17,7 +17,7 @@ jobs:
         strategy:
             matrix:
                 os: ["ubuntu-latest"]
-                node_version: ["18", "19", "20"]
+                node_version: ["18", "20", "21"]
                 include:
                     - os: "macos-latest"
                       node_version: "18"
@@ -64,7 +64,7 @@ jobs:
                   SKIP_CHECK: "true"
 
             - name: "Verify the integrity of provenance attestations and registry signatures for installed dependencies"
-              run: "pnpm audit signatures"
+              run: "pnpm dlx audit-ci@^6 --config ./audit-ci.jsonc --report-type=summary"
 
             - name: "test and coverage"
               run: "pnpm run test:coverage"

README.md

@@ -18,13 +18,13 @@ This is the theme repository for the [Json Résumé](https://jsonresume.org/) pr
 
 ## Installation
 
-This project uses [pnpm](https://pnpm.io/), [vitejs](https://vitejs.dev/) and [vitest](https://vitest.dev/) for all its internal build processes. In theory, this project requires at lest Node v16 to run.
+This project uses [pnpm](https://pnpm.io/), [vitejs](https://vitejs.dev/) and [vitest](https://vitest.dev/) for all its internal build processes. In theory, this project requires at lest Node v18 to run.
 
 ## Quick Commands
 
--   `pnpm dev` - Run the build and generate an résumé html page for development
+-   `pnpm run dev` - Run the build and generate an résumé html page for development
 -   `pnpm run build` - Builds the résumé into a `html` file
--   `pnpm run build:pdf` - Builds the résumé into a `pdf` file
+-   `pnpm run build:pdf` - Builds the résumé into a `pdf` file (requires `pnpm run build` to be called first)
 -   `pnpm run download:resume` - Download your gist resume.json (and resume.private.jons)
 -   `pnpm run serve` - Locally preview the production build
 
@@ -72,15 +72,14 @@ To generate an résumé locally:
 `netlify.toml`:
 
 ```toml
-[build.environment]
-  NODE_VERSION = "18"
-
 [build]
 # If you download your resume.json (and resume.private.json) from a gist please use the command below and uncomment the current command
 #  command = "pnpm run download:resume && pnpm run build && pnpm run build:pdf"
-  command = "pnpm run build && pnpm run build:pdf"
-  publish = "dist"
+command = "pnpm run build && pnpm run build:pdf"
+publish = "dist"
 
+[build.environment]
+NODE_VERSION = "18"
 ```
 
 ## Why not use the PDF generated by the pipeline

audit-ci.jsonc

@@ -0,0 +1,11 @@
+{
+    // $schema provides code completion hints to IDEs.
+    "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
+    "low": true,
+    "package-manager": "pnpm",
+    "report-type": "important",
+    "allowlist": [
+        // @TODO: check if node-ip will be updated to fix the vulnerability
+        "GHSA-78xj-cgh5-2h22|. > *",
+    ],
+}

package.json

@@ -25,6 +25,7 @@
     },
     "sideEffects": false,
     "scripts": {
+        "audit": "pnpm dlx audit-ci@^6 --config ./audit-ci.jsonc",
         "build": "tsc && cross-env NODE_ENV='production' vite build",
         "build:pdf": "esno ./bin/build-pdf.ts",
         "clean": "rimraf node_modules dist",
@@ -138,7 +139,11 @@
             "request": "npm:@cypress/request@3.0.0",
             "minimist@<0.2.1": ">=0.2.1",
             "semver@>=7.0.0 <7.5.2": ">=7.5.2",
-            "tough-cookie@<4.1.3": ">=4.1.3"
+            "tough-cookie@<4.1.3": ">=4.1.3",
+            "sharp@<0.32.6": ">=0.32.6",
+            "vite@>=4.4.0 <4.4.12": ">=4.4.12",
+            "vite@>=4.0.0 <=4.5.1": ">=4.5.2",
+            "vite@>=2.7.0 <=2.9.16": ">=2.9.17"
         }
     }
 }