Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[deps]: Update @actions/artifact to v2.1.7 [SECURITY] #300

Merged
merged 1 commit into from
Sep 4, 2024
Merged

[deps]: Update @actions/artifact to v2.1.7 [SECURITY] #300

merged 1 commit into from
Sep 4, 2024
+633 −124

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 3, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@actions/artifact (source) 2.1.4 -> 2.1.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-42471

Impact

Versions of actions/artifact before 2.1.7 are vulnerable to arbitrary file write when using downloadArtifactInternal, downloadArtifactPublic, or streamExtractExternal for extracting a specifically crafted artifact that contains path traversal filenames.

Patches

Upgrade to version 2.1.7 or higher.

References

CVE

CVE-2024-42471

Credits

Justin Taft from Google

Release Notes

actions/toolkit (@​actions/artifact)

v2.1.7

  • Update unzip-stream dependency and reverted to using unzip.Extract()

v2.1.6

  • Will retry on invalid request responses.

v2.1.5

  • Bumped archiver dependency to 7.0.1

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner September 3, 2024 23:08
@renovate renovate bot added the security label Sep 3, 2024
@renovate renovate bot requested a review from a team September 3, 2024 23:08
@bitwarden-bot
Copy link

Logo
Checkmarx One – Scan Summary & Details3cd59904-8297-4f6f-a802-9b884a429318

New Issues

Severity Issue Source File / Package Checkmarx Insight
LOW Missing_CSP_Header /download-artifacts/node_modules/node-fetch/lib/index.es.js: 650 Attack Vector

Fixed Issues

Severity Issue Source File / Package
MEDIUM Path_Traversal /lint-workflow/lint.py: 394
MEDIUM Path_Traversal /lint-workflow/lint.py: 394
MEDIUM Path_Traversal /lint-workflow/lint.py: 394
LOW Missing_CSP_Header /download-artifacts/node_modules/@actions/github/node_modules/@octokit/request/dist-node/index.js: 75

@michalchecinski michalchecinski merged commit 156be63 into main Sep 4, 2024
5 checks passed
@michalchecinski michalchecinski deleted the renovate/npm-actions-artifact-vulnerability branch September 4, 2024 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michalchecinski michalchecinski michalchecinski approved these changes

Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bitwarden-bot @michalchecinski