setup-node icon indicating copy to clipboard operation
setup-node copied to clipboard
verified publisher icon actions

Don't cache automatically in privileged workflows

Open caugner opened this issue 4 months ago • 16 comments

Description: In https://github.com/actions/setup-node/pull/1348, caching was enabled by default if the package.json includes the packageManager field.

This side-effect is dangerous in privileged workflows with access to secrets and credentials, because it makes them vulnerable to cache poisoning. Code injection in one privileged workflow can be exploited to steal higher value secrets, and credentials in another privileged workflow.

Action version: v5.0.0

Platform:

  • [x] Ubuntu
  • [ ] macOS
  • [ ] Windows

Runner type:

  • [x] Hosted
  • [ ] Self-hosted

Tools version: npm (but issue is not specific)

Repro steps:

  1. Create a repo with package.json incl. packageManager field.
  2. Create a pull_request_target workflow incl. actions/setup-node usage.

Expected behavior: Caching should not be enabled by default in privileged workflows.

Actual behavior: Caching is enabled by default.

caugner avatar Sep 05 '25 07:09 caugner