Skip to content
This repository was archived by the owner on Apr 14, 2026. It is now read-only.

chore(deps): update dependency @actions/core to v1.9.1 [security]#107

Merged
kodiakhq[bot] merged 2 commits into
mainfrom
renovate/npm-@actions/core-vulnerability
May 17, 2023
Merged

chore(deps): update dependency @actions/core to v1.9.1 [security]#107
kodiakhq[bot] merged 2 commits into
mainfrom
renovate/npm-@actions/core-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Aug 18, 2022

Copy link
Copy Markdown
Contributor

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@actions/core 1.6.0 -> 1.9.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-35954

Impact

The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author.

Patches

Users should upgrade to @actions/core v1.9.1.

Workarounds

If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

References

More information about setting-an-environment-variable in workflows

If you have any questions or comments about this advisory:


Release Notes

actions/toolkit

v1.9.1

  • Randomize delimiter when calling core.exportVariable

v1.9.0

  • Added toPosixPath, toWin32Path and toPlatformPath utilities #​1102

v1.8.2

  • Update to v2.0.1 of @actions/http-client #​1087

v1.8.1

  • Update to v2.0.0 of @actions/http-client

v1.8.0

v1.7.0


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
renovate Bot requested a review from a team as a code owner August 18, 2022 21:23
@ibmdotcom-bot

ibmdotcom-bot commented Aug 18, 2022

Copy link
Copy Markdown
Contributor

@renovate renovate Bot changed the title chore(deps): update dependency @actions/core to v1.9.1 [security] chore(deps): update dependency @actions/core to v1.9.1 [security] - autoclosed Dec 18, 2022
@renovate renovate Bot closed this Dec 18, 2022
@renovate
renovate Bot deleted the renovate/npm-@actions/core-vulnerability branch December 18, 2022 02:19
@renovate renovate Bot changed the title chore(deps): update dependency @actions/core to v1.9.1 [security] - autoclosed chore(deps): update dependency @actions/core to v1.9.1 [security] Dec 18, 2022
@renovate renovate Bot reopened this Dec 18, 2022
@renovate
renovate Bot restored the renovate/npm-@actions/core-vulnerability branch December 18, 2022 05:20
@renovate renovate Bot changed the title chore(deps): update dependency @actions/core to v1.9.1 [security] chore(deps): update dependency @actions/core to v1.9.1 [security] - autoclosed Feb 2, 2023
@renovate renovate Bot closed this Feb 2, 2023
@renovate
renovate Bot deleted the renovate/npm-@actions/core-vulnerability branch February 2, 2023 02:59
@renovate renovate Bot changed the title chore(deps): update dependency @actions/core to v1.9.1 [security] - autoclosed chore(deps): update dependency @actions/core to v1.9.1 [security] Feb 2, 2023
@renovate renovate Bot reopened this Feb 2, 2023
@renovate
renovate Bot restored the renovate/npm-@actions/core-vulnerability branch February 2, 2023 06:03
@stale

stale Bot commented May 16, 2023

Copy link
Copy Markdown

We've marked this issue as stale because there hasn't been any activity for 60 days. If there's no further activity on this issue in the next three days then we'll close it. You can keep the conversation going with just a short comment. Thanks for your contributions.

@stale stale Bot added the inactive label May 16, 2023
@jeffchew jeffchew added the Ready to merge Label for the pull requests that are ready to merge label May 17, 2023
@stale stale Bot removed the inactive label May 17, 2023
@renovate

renovate Bot commented May 17, 2023

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

Warning: custom changes will be lost.

@kodiakhq
kodiakhq Bot merged commit 4c393ff into main May 17, 2023
@kodiakhq
kodiakhq Bot deleted the renovate/npm-@actions/core-vulnerability branch May 17, 2023 13:47
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

Ready to merge Label for the pull requests that are ready to merge

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants