Welcome to Depfu 👋
This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.
After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.
Let us know if you have any questions. Thanks so much for giving Depfu a try!
🚨Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ @actions/core (1.2.4 → 1.10.1) ·Repo ·Changelog
Security Advisories 🚨
Impact
The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to theGITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author.
Patches
Users should upgrade to@actions/core v1.9.1.
Workarounds
If you are unable to upgrade the@actions/core package, you can modify your action to ensure that any user input does not contain the delimiter_GitHubActionsFileCommandDelimeter_ before callingcore.exportVariable.
References
More information about setting-an-environment-variable in workflows
If you have any questions or comments about this advisory:
Impact
The@actions/core npm moduleaddPath andexportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author.
Patches
The runner will release an update that disables theset-env andadd-path workflow commands in the near future. For now, users should upgrade to@actions/core v1.2.6 or later, and replace any instance of theset-env oradd-path commands in their workflows with the newEnvironment File Syntax. Workflows and actions using the old commands or older versions of the toolkit will start to warn, then error out during workflow execution.
Workarounds
None, it is strongly suggested that you upgrade as soon as possible.
For more information
If you have any questions or comments about this advisory:
Release Notes
Too many releases to show here. View thefull release notes.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with@depfu rebase.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu recreate
- Recreates this PR, overwriting any edits that you've made to it
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu cancel merge
- Cancels automatic merging of this PR
- @depfu close
- Closes this PR and deletes the branch
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)
Welcome to Depfu 👋
This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.
After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.
Let us know if you have any questions. Thanks so much for giving Depfu a try!
🚨Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ @actions/core (1.2.4 → 1.10.1) ·Repo ·Changelog
Security Advisories 🚨
🚨 @actions/core has Delimiter Injection Vulnerability in exportVariable
🚨 Environment Variable Injection in GitHub Actions
Release Notes
Too many releases to show here. View thefull release notes.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands