Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): update dependency @actions/core to v1.9.1 [security] (#107)
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@actions/core](https://togithub.com/actions/toolkit) | [`1.6.0` -> `1.9.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.6.0/1.9.1) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2022-35954](https://togithub.com/actions/toolkit/security/advisories/GHSA-7r3h-m5j6-3q42) ## Impact The `core.exportVariable` function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the `GITHUB_ENV` file may cause the path or other environment variables to be modified without the intention of the workflow or action author. ## Patches Users should upgrade to `@actions/core v1.9.1`. ## Workarounds If you are unable to upgrade the `@actions/core` package, you can modify your action to ensure that any user input does not contain the delimiter `_GitHubActionsFileCommandDelimeter_` before calling `core.exportVariable`. ## References [More information about setting-an-environment-variable in workflows](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable) If you have any questions or comments about this advisory: * Open an issue in [`actions/toolkit`](https://togithub.com/actions/toolkit/issues) --- ### Release Notes <details> <summary>actions/toolkit</summary> ### [`v1.9.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#​191) - Randomize delimiter when calling `core.exportVariable` ### [`v1.9.0`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#​190) - Added `toPosixPath`, `toWin32Path` and `toPlatformPath` utilities [#​1102](https://togithub.com/actions/toolkit/pull/1102) ### [`v1.8.2`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#​182) - Update to v2.0.1 of `@actions/http-client` [#​1087](https://togithub.com/actions/toolkit/pull/1087) ### [`v1.8.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#​181) - Update to v2.0.0 of `@actions/http-client` ### [`v1.8.0`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#​180) - Deprecate `markdownSummary` extension export in favor of `summary` - [actions/toolkit#1072 - [actions/toolkit#1073 ### [`v1.7.0`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#​170) - [Added `markdownSummary` extension](https://togithub.com/actions/toolkit/pull/1014) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox. --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/carbon-design-system/carbon-for-ibm-dotcom-web-components-template). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzMi4xNjMuMCIsInVwZGF0ZWRJblZlciI6IjMyLjE2My4wIn0=-->
](https://renovatebot.com){kind=link}
- Loading branch information
1 parent
c91d442
commit 4c393ff