[Snyk] Security upgrade @actions/core from 1.10.1 to 2.0.0#83
[Snyk] Security upgrade @actions/core from 1.10.1 to 2.0.0#83revan-zhang wants to merge 2 commits intomainfrom
Conversation
…ck to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-UNDICI-15518068 - https://snyk.io/vuln/SNYK-JS-UNDICI-15518070 - https://snyk.io/vuln/SNYK-JS-UNDICI-15518061 - https://snyk.io/vuln/SNYK-JS-UNDICI-15518072
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| }, | ||
| "dependencies": { | ||
| "@actions/core": "^1.10.1", | ||
| "@actions/core": "^2.0.0", |
There was a problem hiding this comment.
🔴 dist/index.js not rebuilt after @actions/core major version bump — security fix has no effect
The package.json bumps @actions/core from ^1.10.1 to ^2.0.0 (intended as a vulnerability fix), but the bundled dist/index.js was not rebuilt. Since action.yml:30 specifies main: 'dist/index.js', GitHub Actions runs the bundled file, which still contains the old @actions/core v1.x code. The vulnerability fix therefore has no runtime effect — the action continues to use the old, vulnerable dependencies (undici@^5.25.4, @actions/http-client@^2.0.1). Additionally, slack-notify-webhook is not listed in the repo's build.sh, so automated builds won't pick it up either.
Prompt for agents
After updating the dependency in slack-notify-webhook/package.json, you need to rebuild the dist bundle so the fix actually takes effect at runtime. Run the following from the slack-notify-webhook directory:
yarn install
yarn build
This executes `ncc build src/index.js -m -o ./dist/` (as defined in package.json scripts) and produces an updated dist/index.js that bundles the new @actions/core v2 and its transitive dependencies.
Also consider adding slack-notify-webhook to the repo-level build.sh so future builds are automated. The build.sh at the repo root currently does not include slack-notify-webhook in its array of folders to build.
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
Snyk has created this PR to fix 4 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
slack-notify-webhook/package.jsonslack-notify-webhook/yarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-UNDICI-15518068
SNYK-JS-UNDICI-15518070
SNYK-JS-UNDICI-15518061
SNYK-JS-UNDICI-15518072
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Uncaught Exception
🦉 CRLF Injection
Note
Medium Risk
Medium risk because this is a major-version upgrade of
@actions/corethat changes transitive dependencies (@actions/http-client,undici) and could affect runtime behavior of the GitHub Action despite no code changes.Overview
Upgrades the GitHub Action dependency
@actions/corefrom^1.10.1to^2.0.0.Refreshes
yarn.lockaccordingly, introducing new transitive packages (e.g.,@actions/exec,@actions/io) and bumping@actions/http-client/undicito newer major versions to remediate security issues.Written by Cursor Bugbot for commit f660233. This will update automatically on new commits. Configure here.