From 4c393ff9d141da6a804a3f4454287a5014516011 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 17 May 2023 13:47:20 +0000 Subject: [PATCH] chore(deps): update dependency @actions/core to v1.9.1 [security] (#107) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@actions/core](https://togithub.com/actions/toolkit) | [`1.6.0` -> `1.9.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.6.0/1.9.1) | [![age](https://badges.renovateapi.com/packages/npm/@actions%2fcore/1.9.1/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@actions%2fcore/1.9.1/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@actions%2fcore/1.9.1/compatibility-slim/1.6.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@actions%2fcore/1.9.1/confidence-slim/1.6.0)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2022-35954](https://togithub.com/actions/toolkit/security/advisories/GHSA-7r3h-m5j6-3q42) ## Impact The `core.exportVariable` function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the `GITHUB_ENV` file may cause the path or other environment variables to be modified without the intention of the workflow or action author. ## Patches Users should upgrade to `@actions/core v1.9.1`. ## Workarounds If you are unable to upgrade the `@actions/core` package, you can modify your action to ensure that any user input does not contain the delimiter `_GitHubActionsFileCommandDelimeter_` before calling `core.exportVariable`. ## References [More information about setting-an-environment-variable in workflows](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable) If you have any questions or comments about this advisory: * Open an issue in [`actions/toolkit`](https://togithub.com/actions/toolkit/issues) --- ### Release Notes
actions/toolkit ### [`v1.9.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#​191) - Randomize delimiter when calling `core.exportVariable` ### [`v1.9.0`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#​190) - Added `toPosixPath`, `toWin32Path` and `toPlatformPath` utilities [#​1102](https://togithub.com/actions/toolkit/pull/1102) ### [`v1.8.2`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#​182) - Update to v2.0.1 of `@actions/http-client` [#​1087](https://togithub.com/actions/toolkit/pull/1087) ### [`v1.8.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#​181) - Update to v2.0.0 of `@actions/http-client` ### [`v1.8.0`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#​180) - Deprecate `markdownSummary` extension export in favor of `summary` - [https://github.com/actions/toolkit/pull/1072](https://togithub.com/actions/toolkit/pull/1072) - [https://github.com/actions/toolkit/pull/1073](https://togithub.com/actions/toolkit/pull/1073) ### [`v1.7.0`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#​170) - [Added `markdownSummary` extension](https://togithub.com/actions/toolkit/pull/1014)
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, click this checkbox. --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/carbon-design-system/carbon-for-ibm-dotcom-web-components-template). --- yarn.lock | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/yarn.lock b/yarn.lock index 7bd41a3..9764748 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3,18 +3,19 @@ "@actions/core@^1.6.0": - version "1.6.0" - resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.6.0.tgz#0568e47039bfb6a9170393a73f3b7eb3b22462cb" - integrity sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw== + version "1.9.1" + resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.9.1.tgz#97c0201b1f9856df4f7c3a375cdcdb0c2a2f750b" + integrity sha512-5ad+U2YGrmmiw6du20AQW5XuWo7UKN2052FjSV7MX+Wfjf8sCqcsZe62NfgHys4QI4/Y+vQvLKYL8jWtA1ZBTA== dependencies: - "@actions/http-client" "^1.0.11" + "@actions/http-client" "^2.0.1" + uuid "^8.3.2" -"@actions/http-client@^1.0.11": - version "1.0.11" - resolved "https://registry.yarnpkg.com/@actions/http-client/-/http-client-1.0.11.tgz#c58b12e9aa8b159ee39e7dd6cbd0e91d905633c0" - integrity sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg== +"@actions/http-client@^2.0.1": + version "2.0.1" + resolved "https://registry.yarnpkg.com/@actions/http-client/-/http-client-2.0.1.tgz#873f4ca98fe32f6839462a6f046332677322f99c" + integrity sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw== dependencies: - tunnel "0.0.6" + tunnel "^0.0.6" "@ampproject/remapping@^2.0.0": version "2.0.4" @@ -9525,7 +9526,7 @@ tunnel-agent@^0.6.0: dependencies: safe-buffer "^5.0.1" -tunnel@0.0.6: +tunnel@^0.0.6: version "0.0.6" resolved "https://registry.yarnpkg.com/tunnel/-/tunnel-0.0.6.tgz#72f1314b34a5b192db012324df2cc587ca47f92c" integrity sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==