Update dependency @actions/core to v1.9.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@actions/core (source)	1.2.0 -> 1.9.1

GitHub Vulnerability Alerts

CVE-2020-15228

Impact

The @actions/core npm module addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author.

Patches

The runner will release an update that disables the set-env and add-path workflow commands in the near future. For now, users should upgrade to @actions/core v1.2.6 or later, and replace any instance of the set-env or add-path commands in their workflows with the new Environment File Syntax. Workflows and actions using the old commands or older versions of the toolkit will start to warn, then error out during workflow execution.

Workarounds

None, it is strongly suggested that you upgrade as soon as possible.

For more information

If you have any questions or comments about this advisory:

• Open an issue in Actions Toolkit

CVE-2022-35954

Impact

The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author.

Patches

Users should upgrade to @actions/core v1.9.1.

Workarounds

If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

References

More information about setting-an-environment-variable in workflows

If you have any questions or comments about this advisory:

• Open an issue in actions/toolkit

---

Release Notes

actions/toolkit (@​actions/core)

v1.9.1

• Randomize delimiter when calling core.exportVariable

v1.9.0

• Added toPosixPath, toWin32Path and toPlatformPath utilities #​1102

v1.8.2

• Update to v2.0.1 of @actions/http-client #​1087

v1.8.1

• Update to v2.0.0 of @actions/http-client

v1.8.0

• Deprecate markdownSummary extension export in favor of summary
  • https://github.com/actions/toolkit/pull/1072
  • https://github.com/actions/toolkit/pull/1073

v1.7.0

• Added markdownSummary extension

v1.6.0

• Added OIDC Client function getIDToken
• Added file parameter to AnnotationProperties

v1.5.0

• Added support for notice annotations and more annotation fields

v1.4.0

• Added the getMultilineInput function

v1.3.0

• Added the trimWhitespace option to getInput
• Added the getBooleanInput function

v1.2.7

• Prepend newline for set-output

v1.2.6

• Update exportVariable and addPath to use environment files

v1.2.5

• Correctly bundle License File with package

v1.2.4

• Be more lenient in accepting non-string command inputs
• Add Echo commands

v1.2.3

• IsDebug logging

v1.2.2

• Fix escaping for runner commands

v1.2.1

• Remove trailing comma from commands
• Add "types" to package.json

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.