toolkit
toolkit copied to clipboard
actions
fix: move `undici` to `devDependencies`.
@takost and @pje,
This PR is to fix the issue where undici is getting bundled with @actions/http-client and @actions/core.
This add a large amount of bloat on actions that bundle @actions/core.
Hi, what's the status of this PR?
This would fix problem with the npm audit:
undici <=5.28.2
Undici proxy-authorization header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-3787-6prv-h9w3
fix available via `npm audit fix`
node_modules/undici
1 low severity vulnerability
@actions/[email protected]
└─┬ @actions/[email protected]
└── [email protected]
As I commented on the linked issue, I don’t think it can be just moved to dev dependencies since it’s being imported in several places.
In fact it should be a dependencie in other places too, see https://github.com/actions/toolkit/pull/1685
@jozefizso,
As @jcesarmobile say, there is a dependency upon a small portion of undici. But that dependency brings in the entire thing.
I could close this since it will never land, but I am hoping someone on the GitHub team will fix the underlying issue.
Another issue is that all the packages are transpiled to commonjs, and the TypeScript source files are not included on npm. This makes it quite hard for bundlers like Parcel that support directly using TypeScript to tree-shake such huge dependencies, so everything is included unconditionally.
@actions should strongly consider publishing the ts files in npm.
Can we also bump the version of undici to the latest Security Release of ^5.28.4 ? I'm getting CodeQL security issues "Use of a broken or weak cryptographic algorithm"
