Current version includes vulnerable packages #29

lengau · 2023-01-12T23:03:07Z

I'm not sure whether either of these are actually exploitable here, but since I'm updating the version number to 1.2 anyway for bot configuration I figured I might as well report & fix.

Audit result

$ npm audit
# npm audit report

@actions/core  <=1.9.0
Severity: moderate
@actions/core has Delimiter Injection Vulnerability in exportVariable - https://github.com/advisories/GHSA-7r3h-m5j6-3q42
fix available via `npm audit fix`
node_modules/@actions/core

node-fetch  <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix`
node_modules/node-fetch

2 vulnerabilities (1 moderate, 1 high)

To address all issues, run:
  npm audit fix

The text was updated successfully, but these errors were encountered:

* Updates release version in package.json * Fixes npm audit issues in package-lock and node_modules (canonical#29) * Includes feature for configurable bots (see canonical#27)

* Updates release version in package.json * Fixes npm audit issues in package-lock and node_modules (#29) * Includes feature for configurable bots (see #27)

lengau mentioned this issue Jan 12, 2023

Update release to 1.2.0 #30

Merged

seb128 pushed a commit that referenced this issue Jan 13, 2023

Update release to 1.2.0 (#30)

9a7e0da

* Updates release version in package.json * Fixes npm audit issues in package-lock and node_modules (#29) * Includes feature for configurable bots (see #27)

lengau closed this as completed Apr 16, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Current version includes vulnerable packages #29

Current version includes vulnerable packages #29

lengau commented Jan 12, 2023

Current version includes vulnerable packages #29

Current version includes vulnerable packages #29

Comments

lengau commented Jan 12, 2023