.github/PULL_REQUEST_TEMPLATE.md

@@ -18,15 +18,3 @@ Relates OR Closes #0000
   prioritize this request
 * Please do not leave "+1" comments, they generate extra noise for pull request
   followers and do not help prioritize the request
-
-## PCI review checklist
-
-<!-- heimdall_github_prtemplate:grc-pci_dss-2024-01-05 -->
-
-- [ ] I have documented a clear reason for, and description of, the change I am making.
-
-- [ ] If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
-
-- [ ] If applicable, I've documented the impact of any changes to security controls.
-
-  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

.github/dependabot.yml

@@ -1,14 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
 # Please see the documentation for all configuration options:
-# https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
 
 version: 2
 updates:
-  - package-ecosystem: "npm"
+  - package-ecosystem: "npm" # See documentation for possible values
     directory: "/" # Location of package manifests
-    open-pull-requests-limit: 0 # only require security updates and exclude version updates
     schedule:
-      interval: "weekly"
+      interval: "daily"
-    # For got, ignore all updates since it is now native ESM
-    # see https://github.com/hashicorp/vault-action/pull/457#issuecomment-1601445634
-    ignore:
-      - dependency-name: "got"

CHANGELOG.md

@@ -1,15 +1,3 @@
-## Unreleased
-
-## 3.4.0 (June 13, 2025)
-
-Bugs:
-
-* replace all dot chars during normalization (https://github.com/hashicorp/vault-action/pull/580)
-
-Improvements:
-
-* Prevent possible DoS via polynomial regex (https://github.com/hashicorp/vault-action/pull/583)
-
 ## 3.3.0 (March 3, 2025)
 
 Features:

CODEOWNERS

@@ -1 +0,0 @@
-* @hashicorp/vault-ecosystem

integrationTests/basic/integration.test.js

@@ -39,14 +39,6 @@ describe('integration', () => {
             body: `{"data":{"secret.foo":"SUPERSECRET"}}`
         });
 
-        await got(`${vaultUrl}/v1/secret/data/test-with-multi-dot-chars`, {
-            method: 'POST',
-            headers: {
-                'X-Vault-Token': vaultToken,
-            },
-            body: `{"data":{"secret.foo.bar":"SUPERSECRET"}}`
-        });
-
         await got(`${vaultUrl}/v1/secret/data/nested/test`, {
             method: 'POST',
             headers: {
@@ -301,16 +293,6 @@ describe('integration', () => {
         expect(core.exportVariable).toBeCalledWith('SECRET__FOO', 'SUPERSECRET');
     });
 
-    it('get secrets with multiple dot chars', async () => {
-        mockInput(`secret/data/test-with-multi-dot-chars * ;`);
-
-        await exportSecrets();
-
-        expect(core.exportVariable).toBeCalledTimes(1);
-
-        expect(core.exportVariable).toBeCalledWith('SECRET__FOO__BAR', 'SUPERSECRET');
-    });
-
     it('get wildcard secrets', async () => {
         mockInput(`secret/data/test * ;`);
 

package-lock.json

@@ -11,7 +11,7 @@
             "dependencies": {
                 "got": "^11.8.6",
                 "jsonata": "^2.0.3",
-                "jsrsasign": "^11.1.0"
+                "jsrsasign": "^11.0.0"
             },
             "devDependencies": {
                 "@actions/core": "^1.10.1",
@@ -3375,10 +3375,9 @@
             }
         },
         "node_modules/jsrsasign": {
-            "version": "11.1.0",
+            "version": "11.0.0",
-            "resolved": "https://registry.npmjs.org/jsrsasign/-/jsrsasign-11.1.0.tgz",
+            "resolved": "https://registry.npmjs.org/jsrsasign/-/jsrsasign-11.0.0.tgz",
-            "integrity": "sha512-Ov74K9GihaK9/9WncTe1mPmvrO7Py665TUfUKvraXBpu+xcTWitrtuOwcjf4KMU9maPaYn0OuaWy0HOzy/GBXg==",
+            "integrity": "sha512-BtRwVKS+5dsgPpAtzJcpo5OoWjSs1/zllSBG0+8o8/aV0Ki76m6iZwHnwnsqoTdhfFZDN1XIdcaZr5ZkP+H2gg==",
-            "license": "MIT",
             "funding": {
                 "url": "https://github.com/kjur/jsrsasign#donations"
             }
@@ -7226,9 +7225,9 @@
             "integrity": "sha512-vfavX4/G/yrYxE+UrmT/oUJ3ph7KqUrb0R7b0LVRcntQwxw+Z5kA1pNUIQzX5hF04Oe1eKxyoIPsmXtc2LgJTQ=="
         },
         "jsrsasign": {
-            "version": "11.1.0",
+            "version": "11.0.0",
-            "resolved": "https://registry.npmjs.org/jsrsasign/-/jsrsasign-11.1.0.tgz",
+            "resolved": "https://registry.npmjs.org/jsrsasign/-/jsrsasign-11.0.0.tgz",
-            "integrity": "sha512-Ov74K9GihaK9/9WncTe1mPmvrO7Py665TUfUKvraXBpu+xcTWitrtuOwcjf4KMU9maPaYn0OuaWy0HOzy/GBXg=="
+            "integrity": "sha512-BtRwVKS+5dsgPpAtzJcpo5OoWjSs1/zllSBG0+8o8/aV0Ki76m6iZwHnwnsqoTdhfFZDN1XIdcaZr5ZkP+H2gg=="
         },
         "keyv": {
             "version": "4.3.2",

package.json

@@ -36,7 +36,7 @@
     "dependencies": {
         "got": "^11.8.6",
         "jsonata": "^2.0.3",
-        "jsrsasign": "^11.1.0"
+        "jsrsasign": "^11.0.0"
     },
     "peerDependencies": {
         "@actions/core": ">=1 <2"

src/secrets.js

@@ -153,7 +153,7 @@ const selectAndAppendResults = async (
   secretRequest,
   results
 ) => {
-  if (!selector.includes(".")) {
+  if (!selector.match(/.*[\.].*/)) {
     selector = '"' + selector + '"';
   }
   selector = "data." + selector;

src/utils.js

@@ -5,7 +5,7 @@
  */
 function normalizeOutputKey(dataKey, upperCase = false) {
   let outputKey = dataKey
-    .replaceAll(".", "__")
+    .replace(".", "__")
     .replace(new RegExp("-", "g"), "")
     .replace(/[^\p{L}\p{N}_-]/gu, "");
   if (upperCase) {