Update dependency @actions/core to v1.9.1 [SECURITY] #716

Open

renovate[bot] wants to merge 1 commit from renovate-npm-actions-core-vulnerability into master

pull from: renovate-npm-actions-core-vulnerability

merge into: workflows:master

workflows:master

workflows:renovate-lock-file-maintenance

workflows:renovate-jest-monorepo

workflows:renovate-node-16.x

workflows:renovate-eslint-monorepo

workflows:renovate-vercel-ncc-0.x

workflows:renovate-typescript-eslint-monorepo

workflows:renovate-husky-8.x

workflows:renovate-eslint-plugin-prettier-4.x

workflows:renovate-tubone24-depcheck_action-1.x

workflows:dependabot/npm_and_yarn/typescript-eslint/parser-5.54.1

workflows:dependabot/npm_and_yarn/types/node-18.14.6

workflows:dependabot/npm_and_yarn/json5-1.0.2

workflows:dependabot/npm_and_yarn/jest-and-types/jest-29.3.0

workflows:dependabot/npm_and_yarn/actions/github-5.1.1

workflows:dependabot/npm_and_yarn/actions/core-1.10.0

workflows:renovate-github-codeql-action-2.x

workflows:renovate/configure

workflows:dependabot/add-v2-config-file

Conversation 5 Commits 1 Files changed 2 +67 -18

renovate[bot] commented 2024-08-06 03:30:20 -04:00 (Migrated from github.com)

Copy link

This PR contains the following updates:

Package	Change	Age	Confidence
@actions/core (source)	1.6.0 → 1.9.1

GitHub Vulnerability Alerts

CVE-2022-35954

Impact

The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author.

Patches

Users should upgrade to @actions/core v1.9.1.

Workarounds

If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

References

More information about setting-an-environment-variable in workflows

If you have any questions or comments about this advisory:

• Open an issue in actions/toolkit

---

Release Notes

actions/toolkit (@​actions/core)

v1.9.1

• Randomize delimiter when calling core.exportVariable

v1.9.0

• Added toPosixPath, toWin32Path and toPlatformPath utilities #​1102

v1.8.2

• Update to v2.0.1 of @actions/http-client #​1087

v1.8.1

• Update to v2.0.0 of @actions/http-client

v1.8.0

• Deprecate markdownSummary extension export in favor of summary
  • #​1072
  • #​1073

v1.7.0

• Added markdownSummary extension

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@actions/core](https://redirect.github.com/actions/toolkit/tree/main/packages/core) ([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/core)) | [`1.6.0` → `1.9.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.6.0/1.9.1) |  |  | ### GitHub Vulnerability Alerts #### [CVE-2022-35954](https://redirect.github.com/actions/toolkit/security/advisories/GHSA-7r3h-m5j6-3q42) ## Impact The `core.exportVariable` function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the `GITHUB_ENV` file may cause the path or other environment variables to be modified without the intention of the workflow or action author. ## Patches Users should upgrade to `@actions/core v1.9.1`. ## Workarounds If you are unable to upgrade the `@actions/core` package, you can modify your action to ensure that any user input does not contain the delimiter `_GitHubActionsFileCommandDelimeter_` before calling `core.exportVariable`. ## References [More information about setting-an-environment-variable in workflows](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable) If you have any questions or comments about this advisory: * Open an issue in [`actions/toolkit`](https://redirect.github.com/actions/toolkit/issues) --- ### Release Notes <details> <summary>actions/toolkit (@&#8203;actions/core)</summary> ### [`v1.9.1`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#191) - Randomize delimiter when calling `core.exportVariable` ### [`v1.9.0`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#190) - Added `toPosixPath`, `toWin32Path` and `toPlatformPath` utilities [#&#8203;1102](https://redirect.github.com/actions/toolkit/pull/1102) ### [`v1.8.2`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#182) - Update to v2.0.1 of `@actions/http-client` [#&#8203;1087](https://redirect.github.com/actions/toolkit/pull/1087) ### [`v1.8.1`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#181) - Update to v2.0.0 of `@actions/http-client` ### [`v1.8.0`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#180) - Deprecate `markdownSummary` extension export in favor of `summary` - [#&#8203;1072](https://redirect.github.com/actions/toolkit/pull/1072) - [#&#8203;1073](https://redirect.github.com/actions/toolkit/pull/1073) ### [`v1.7.0`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#170) - [Added `markdownSummary` extension](https://redirect.github.com/actions/toolkit/pull/1014) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/tubone24/update_release). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xOC4xNyIsInVwZGF0ZWRJblZlciI6IjQyLjg1LjEiLCJ0YXJnZXRCcmFuY2giOiJtYXN0ZXIiLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=-->

github-actions[bot] commented 2024-08-06 03:30:45 -04:00 (Migrated from github.com)

Copy link

depcheck Result

List up libraries that are defined in dependencies and devDependencies in package.json but not used in your codes.

• Unused dependencies

  • @actions/exec

• Unused devdependencies

  • @types/jest
  • @vercel/ncc
  • eslint
  • eslint-config-airbnb
  • eslint-config-prettier
  • eslint-plugin-import
  • eslint-plugin-jsx-a11y
  • eslint-plugin-prettier
  • eslint-plugin-react
  • husky
  • jest
  • prettier
  • typescript

• Missing

  • @typescript-eslint/eslint-plugin

    • /github/workspace/.eslintrc

  • @octokit/rest

    • /github/workspace/src/update-release.ts

# depcheck Result List up libraries that are defined in dependencies and devDependencies in package.json but not used in your codes. - Unused dependencies - @actions/exec - Unused devdependencies - @types/jest - @vercel/ncc - eslint - eslint-config-airbnb - eslint-config-prettier - eslint-plugin-import - eslint-plugin-jsx-a11y - eslint-plugin-prettier - eslint-plugin-react - husky - jest - prettier - typescript - Missing - @typescript-eslint/eslint-plugin - /github/workspace/.eslintrc - @octokit/rest - /github/workspace/src/update-release.ts

github-actions[bot] commented 2024-12-08 17:45:45 -05:00 (Migrated from github.com)

Copy link

depcheck Result

List up libraries that are defined in dependencies and devDependencies in package.json but not used in your codes.

• Unused dependencies

  • @actions/exec

• Unused devdependencies

  • @types/jest
  • @vercel/ncc
  • eslint
  • eslint-config-airbnb
  • eslint-config-prettier
  • eslint-plugin-import
  • eslint-plugin-jsx-a11y
  • eslint-plugin-prettier
  • eslint-plugin-react
  • husky
  • jest
  • prettier
  • typescript

• Missing

  • @typescript-eslint/eslint-plugin

    • /github/workspace/.eslintrc

  • @octokit/rest

    • /github/workspace/src/update-release.ts

# depcheck Result List up libraries that are defined in dependencies and devDependencies in package.json but not used in your codes. - Unused dependencies - @actions/exec - Unused devdependencies - @types/jest - @vercel/ncc - eslint - eslint-config-airbnb - eslint-config-prettier - eslint-plugin-import - eslint-plugin-jsx-a11y - eslint-plugin-prettier - eslint-plugin-react - husky - jest - prettier - typescript - Missing - @typescript-eslint/eslint-plugin - /github/workspace/.eslintrc - @octokit/rest - /github/workspace/src/update-release.ts

github-actions[bot] commented 2025-08-13 19:40:07 -04:00 (Migrated from github.com)

Copy link

depcheck Result

List up libraries that are defined in dependencies and devDependencies in package.json but not used in your codes.

• Unused dependencies

  • @actions/exec

• Unused devdependencies

  • @types/jest
  • @vercel/ncc
  • eslint
  • eslint-config-airbnb
  • eslint-config-prettier
  • eslint-plugin-import
  • eslint-plugin-jsx-a11y
  • eslint-plugin-prettier
  • eslint-plugin-react
  • husky
  • jest
  • prettier
  • typescript

• Missing

  • @typescript-eslint/eslint-plugin

    • /github/workspace/.eslintrc

  • @octokit/rest

    • /github/workspace/src/update-release.ts

# depcheck Result List up libraries that are defined in dependencies and devDependencies in package.json but not used in your codes. - Unused dependencies - @actions/exec - Unused devdependencies - @types/jest - @vercel/ncc - eslint - eslint-config-airbnb - eslint-config-prettier - eslint-plugin-import - eslint-plugin-jsx-a11y - eslint-plugin-prettier - eslint-plugin-react - husky - jest - prettier - typescript - Missing - @typescript-eslint/eslint-plugin - /github/workspace/.eslintrc - @octokit/rest - /github/workspace/src/update-release.ts

github-actions[bot] commented 2025-12-31 07:46:26 -05:00 (Migrated from github.com)

Copy link

depcheck Result

List up libraries that are defined in dependencies and devDependencies in package.json but not used in your codes.

• Unused dependencies

  • @actions/exec

• Unused devdependencies

  • @types/jest
  • @vercel/ncc
  • eslint
  • eslint-config-airbnb
  • eslint-config-prettier
  • eslint-plugin-import
  • eslint-plugin-jsx-a11y
  • eslint-plugin-prettier
  • eslint-plugin-react
  • husky
  • jest
  • prettier
  • typescript

• Missing

  • @typescript-eslint/eslint-plugin

    • /github/workspace/.eslintrc

  • @octokit/rest

    • /github/workspace/src/update-release.ts

# depcheck Result List up libraries that are defined in dependencies and devDependencies in package.json but not used in your codes. - Unused dependencies - @actions/exec - Unused devdependencies - @types/jest - @vercel/ncc - eslint - eslint-config-airbnb - eslint-config-prettier - eslint-plugin-import - eslint-plugin-jsx-a11y - eslint-plugin-prettier - eslint-plugin-react - husky - jest - prettier - typescript - Missing - @typescript-eslint/eslint-plugin - /github/workspace/.eslintrc - @octokit/rest - /github/workspace/src/update-release.ts

github-actions[bot] commented 2025-12-31 15:08:25 -05:00 (Migrated from github.com)

Copy link

depcheck Result

List up libraries that are defined in dependencies and devDependencies in package.json but not used in your codes.

• Unused dependencies

  • @actions/exec

• Unused devdependencies

  • @types/jest
  • @vercel/ncc
  • eslint
  • eslint-config-airbnb
  • eslint-config-prettier
  • eslint-plugin-import
  • eslint-plugin-jsx-a11y
  • eslint-plugin-prettier
  • eslint-plugin-react
  • husky
  • jest
  • prettier
  • typescript

• Missing

  • @typescript-eslint/eslint-plugin

    • /github/workspace/.eslintrc

  • @octokit/rest

    • /github/workspace/src/update-release.ts

# depcheck Result List up libraries that are defined in dependencies and devDependencies in package.json but not used in your codes. - Unused dependencies - @actions/exec - Unused devdependencies - @types/jest - @vercel/ncc - eslint - eslint-config-airbnb - eslint-config-prettier - eslint-plugin-import - eslint-plugin-jsx-a11y - eslint-plugin-prettier - eslint-plugin-react - husky - jest - prettier - typescript - Missing - @typescript-eslint/eslint-plugin - /github/workspace/.eslintrc - @octokit/rest - /github/workspace/src/update-release.ts

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate-npm-actions-core-vulnerability:renovate-npm-actions-core-vulnerability

git switch renovate-npm-actions-core-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master

git merge --no-ff renovate-npm-actions-core-vulnerability

git switch renovate-npm-actions-core-vulnerability

git rebase master

git switch master

git merge --ff-only renovate-npm-actions-core-vulnerability

git switch renovate-npm-actions-core-vulnerability

git rebase master

git switch master

git merge --no-ff renovate-npm-actions-core-vulnerability

git switch master

git merge --squash renovate-npm-actions-core-vulnerability

git switch master

git merge --ff-only renovate-npm-actions-core-vulnerability

git switch master

git merge renovate-npm-actions-core-vulnerability

git push origin master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something isn't working

  

dependencies

Pull requests that update a dependency file

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

renovate

  

security

Pull requests that address a security vulnerability

  

todo 🗒️

  

wontfix

This will not be worked on

No labels

bug

dependencies

documentation

duplicate

enhancement

good first issue

help wanted

invalid

question

renovate

security

todo 🗒️

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

workflows/update_release!716

No description provided.