⬆️ Updates @actions/core to v1.9.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@actions/core (source)	1.2.6 -> 1.9.1

GitHub Vulnerability Alerts

CVE-2022-35954

Impact

The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author.

Patches

Users should upgrade to @actions/core v1.9.1.

Workarounds

If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

References

More information about setting-an-environment-variable in workflows

If you have any questions or comments about this advisory:

• Open an issue in actions/toolkit

---

Release Notes

actions/toolkit (@​actions/core)

v1.9.1

• Randomize delimiter when calling core.exportVariable

v1.9.0

• Added toPosixPath, toWin32Path and toPlatformPath utilities #​1102

v1.8.2

• Update to v2.0.1 of @actions/http-client #​1087

v1.8.1

• Update to v2.0.0 of @actions/http-client

v1.8.0

• Deprecate markdownSummary extension export in favor of summary
  • https://github.com/actions/toolkit/pull/1072
  • https://github.com/actions/toolkit/pull/1073

v1.7.0

• Added markdownSummary extension

v1.6.0

• Added OIDC Client function getIDToken
• Added file parameter to AnnotationProperties

v1.5.0

• Added support for notice annotations and more annotation fields

v1.4.0

• Added the getMultilineInput function

v1.3.0

• Added the trimWhitespace option to getInput
• Added the getBooleanInput function

v1.2.7

• Prepend newline for set-output

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks

[github-actions]

Thanks for opening an issue! Make sure you've followed CONTRIBUTING.md.

[github-actions]

Hello from PR Helper

Is your PR ready for review and processing? Mark the PR ready by including #pr-ready in a comment.

If you still have work to do, even after marking this ready. Put the PR on hold by including #pr-onhold in a comment.

[github-actions]

Thanks for the PR!

This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@actions/http-client@2.2.1	network	0	70.3 kB	thboop
npm/@fastify/busboy@2.1.1	None	0	80.2 kB	gurgunday
npm/tunnel@0.0.6	environment, network	0	64.9 kB	koichik
npm/undici@5.28.4	environment, network, unsafe	0	1.17 MB	matteo.collina

🚮 Removed packages: npm/whatwg-encoding@1.0.5, npm/whatwg-mimetype@2.3.0, npm/whatwg-url@8.4.0, npm/which@1.3.1

View full report↗︎