newrelic-cli
newrelic-cli copied to clipboard

Published 20 hours ago •

Reame
Issues

chore(deps): Update dependency @actions/core to v1.9.1 [SECURITY]

Open renovate[bot] opened this issue 10 months ago • 1 comments

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@actions/core (source)	`1.2.6` -> `1.9.1`

GitHub Vulnerability Alerts

CVE-2022-35954

Impact

The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author.

Patches

Users should upgrade to @actions/core v1.9.1.

Workarounds

If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

References

More information about setting-an-environment-variable in workflows

If you have any questions or comments about this advisory:

Open an issue in actions/toolkit

Release Notes

actions/toolkit (@actions/core)

`v1.9.1`

Randomize delimiter when calling core.exportVariable

`v1.9.0`

Added toPosixPath, toWin32Path and toPlatformPath utilities #1102

`v1.8.2`

Update to v2.0.1 of @actions/http-client #1087

`v1.8.1`

Update to v2.0.0 of @actions/http-client

`v1.8.0`

Deprecate markdownSummary extension export in favor of summary
- https://github.com/actions/toolkit/pull/1072
- https://github.com/actions/toolkit/pull/1073

`v1.7.0`

Added markdownSummary extension

`v1.6.0`

`v1.5.0`

Added support for notice annotations and more annotation fields

`v1.4.0`

Added the getMultilineInput function

`v1.3.0`

`v1.2.7`

Prepend newline for set-output

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Mar 26 '24 21:03 renovate[bot]