From 2a1061d6632ccc11c4a2ed01f00363cb605424f0 Mon Sep 17 00:00:00 2001
From: Shinsuke Higashiyama aka Cinzeng Zia
 <94058150+sinsukehlab@users.noreply.github.com>
Date: Fri, 29 Mar 2024 03:15:40 +0900
Subject: [PATCH] Use Perl regular expressions for version check (#21)

* Update axios version check

Use Perl regular expressions to check semantic versioning other than 0.21.1
`(?!0\\.21\\.1)(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)(?:-((?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?`
Cf. https://regex101.com/r/vkijKf/1/

* Update Step 3 instructions to reflect axios update

* Update minimist version check

Use Perl regular expressions to check semantic versioning other than 1.2.5

* Update names of action-check-file steps

* Update copyright year in README.md

* Commit suggestion in 2-dependabot-alerts.yml

any number of WS characters

Co-authored-by: Kevin Heis <heiskr@users.noreply.github.com>

* Tolerate `[\ \\n\\r\\t]` after `:`

See: https://www.json.org/json-en.html

* Escape `.` to `\\.`

* Negative lookbehind for any patch before

`1\\.2\\.[0-5]`
`0\\.21\\.[01]`

---------

Co-authored-by: Kevin Heis <heiskr@users.noreply.github.com>
---
 .github/steps/3-dependabot-security.md      | 2 +-
 .github/workflows/1-dependency-graph.yml    | 4 ++--
 .github/workflows/2-dependabot-alerts.yml   | 8 ++++----
 .github/workflows/3-dependabot-security.yml | 8 ++++----
 .github/workflows/4-dependabot-versions.yml | 2 +-
 README.md                                   | 2 +-
 6 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/steps/3-dependabot-security.md b/.github/steps/3-dependabot-security.md
index f105d5f..79d78ba 100644
--- a/.github/steps/3-dependabot-security.md
+++ b/.github/steps/3-dependabot-security.md
@@ -11,7 +11,7 @@ We manually created the pull request for the `Prototype Pollution in minimist` a
 ### :keyboard: Activity: Enable and trigger Dependabot security updates
 
 1. Navigate to the `Settings` tab, select `Code security and analysis`, and enable the `Dependabot security updates`.
-1. Navigate to the `Pull requests` repository tab and select the newly created pull request titled **Bump axios from 0.21.1 to 0.21.2 in /code/src/AttendeeSite**.
+1. Navigate to the `Pull requests` repository tab and select the newly created pull request that updates axios from version 0.21.1 to a patched version.
    - You may need to wait 30-60 seconds.
 1. Click the `Merge pull request` button.
 1. Click `Confirm merge`.
diff --git a/.github/workflows/1-dependency-graph.yml b/.github/workflows/1-dependency-graph.yml
index 4667a03..0214cb2 100644
--- a/.github/workflows/1-dependency-graph.yml
+++ b/.github/workflows/1-dependency-graph.yml
@@ -53,11 +53,11 @@ jobs:
         uses: actions/checkout@v4
 
       # Verify the learner added the file contents.
-      - name: Check workflow contents, jobs
+      - name: Check package-lock.json
         uses: skills/action-check-file@v1
         with:
           file: "code/src/AttendeeSite/package-lock.json"
-          search: "1.14.1"
+          search: "1\\.14\\.1"
 
       # In README.md, switch step 1 for step 2.
       - name: Update to step 2
diff --git a/.github/workflows/2-dependabot-alerts.yml b/.github/workflows/2-dependabot-alerts.yml
index 9abfa66..7f7ff67 100644
--- a/.github/workflows/2-dependabot-alerts.yml
+++ b/.github/workflows/2-dependabot-alerts.yml
@@ -55,18 +55,18 @@ jobs:
           fetch-depth: 0 # Let's get all the branches.
 
       # Verify the PR updated package.json.
-      - name: Check package.json
+      - name: Check package.json for minimist version other than 1.2.5
         uses: skills/action-check-file@v1
         with:
           file: "code/src/AttendeeSite/package.json"
-          search: "1.2.6"
+          search: "\"minimist\":[\ \\n\\r\\t]*\"\\^(?!1\\.2\\.[0-5])(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)(?:-((?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\""
 
       # Verify the PR updated package-lock.json.
-      - name: Check package.json
+      - name: Check package-lock.json for minimist version other than 1.2.5
         uses: skills/action-check-file@v1
         with:
           file: "code/src/AttendeeSite/package-lock.json"
-          search: "1.2.6"
+          search: "minimist-(?!1\\.2\\.[0-5])(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)(?:-((?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?"
 
       # In README.md, switch step 2 for step 3.
       - name: Update to step 3
diff --git a/.github/workflows/3-dependabot-security.yml b/.github/workflows/3-dependabot-security.yml
index c599740..15f07ca 100644
--- a/.github/workflows/3-dependabot-security.yml
+++ b/.github/workflows/3-dependabot-security.yml
@@ -55,18 +55,18 @@ jobs:
           fetch-depth: 0 # Let's get all the branches.
 
       # Verify the PR added the dependabot changes.
-      - name: Check package for axios version 1.6.0
+      - name: Check package.json for axios version other than 0.21.1
         uses: skills/action-check-file@v1
         with:
           file: "code/src/AttendeeSite/package.json"
-          search: "1.6.0"
+          search: "\"axios\":[\ \\n\\r\\t]*\"\\^(?!0\\.21\\.[01])(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)(?:-((?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\""
 
       # Verify the PR added the dependabot changes.
-      - name: Check package-lock for axios version 1.6.0
+      - name: Check package-lock.json for axios version other than 0.21.1
         uses: skills/action-check-file@v1
         with:
           file: "code/src/AttendeeSite/package-lock.json"
-          search: "1.6.0"
+          search: "axios-(?!0\\.21\\.[01])(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)(?:-((?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?"
 
       # In README.md, switch step 3 for step 4.
       - name: Update to step 4
diff --git a/.github/workflows/4-dependabot-versions.yml b/.github/workflows/4-dependabot-versions.yml
index bd92e7f..636c8a9 100644
--- a/.github/workflows/4-dependabot-versions.yml
+++ b/.github/workflows/4-dependabot-versions.yml
@@ -57,7 +57,7 @@ jobs:
           fetch-depth: 0 # Let's get all the branches.
 
       # Verify the learner added the file contents.
-      - name: Check workflow contents, jobs
+      - name: Check dependabot.yml
         uses: skills/action-check-file@v1
         with:
           file: ".github/dependabot.yml"
diff --git a/README.md b/README.md
index 9de718e..efb68d4 100644
--- a/README.md
+++ b/README.md
@@ -69,6 +69,6 @@ In this course, you will:
 
 Get help: [Post in our discussion board](https://github.com/skills/.github/discussions) &bull; [Review the GitHub status page](https://www.githubstatus.com/)
 
-&copy; 2023 GitHub &bull; [Code of Conduct](https://www.contributor-covenant.org/version/2/1/code_of_conduct/code_of_conduct.md) &bull; [MIT License](https://gh.io/mit)
+&copy; 2024 GitHub &bull; [Code of Conduct](https://www.contributor-covenant.org/version/2/1/code_of_conduct/code_of_conduct.md) &bull; [MIT License](https://gh.io/mit)
 
 </footer>