fix(deps): update dependency @actions/core to v1.9.1 [security] #326
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.2.6
->1.9.1
GitHub Vulnerability Alerts
CVE-2022-35954
Impact
The
core.exportVariable
function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to theGITHUB_ENV
file may cause the path or other environment variables to be modified without the intention of the workflow or action author.Patches
Users should upgrade to
@actions/core v1.9.1
.Workarounds
If you are unable to upgrade the
@actions/core
package, you can modify your action to ensure that any user input does not contain the delimiter_GitHubActionsFileCommandDelimeter_
before callingcore.exportVariable
.References
More information about setting-an-environment-variable in workflows
If you have any questions or comments about this advisory:
actions/toolkit
Release Notes
actions/toolkit (@actions/core)
v1.9.1
core.exportVariable
v1.9.0
toPosixPath
,toWin32Path
andtoPlatformPath
utilities #1102v1.8.2
@actions/http-client
#1087v1.8.1
@actions/http-client
v1.8.0
markdownSummary
extension export in favor ofsummary
v1.7.0
markdownSummary
extensionv1.6.0
getIDToken
file
parameter toAnnotationProperties
v1.5.0
v1.4.0
getMultilineInput
functionv1.3.0
v1.2.7
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.