Skip to content

[Snyk] Security upgrade @actions/core from 1.10.1 to 2.0.0 #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
revan-zhang wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Snyk] Security upgrade @actions/core from 1.10.1 to 2.0.0 #83

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f660233
fix: slack-notify-webhook/package.json & slack-notify-webhook/yarn.lo…
snyk-bot Mar 15, 2026
eeed5e7
auto-build actions
github-actions[bot] Mar 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions pr-impact-analysis/dist/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40701,15 +40701,21 @@ async function run() {
throw new Error(`Worker error: ${data.error}`);
}

// 3. Set outputs
core.setOutput('jira-issue-key', data.jiraIssueKey || '');
core.setOutput('jira-issue-url', data.jiraIssueUrl || '');
// 3. Validate and set outputs
const skipped = data.skipped === true;
core.setOutput('skipped', String(skipped));
core.setOutput('analysis-summary', data.analysisSummary || '');
core.setOutput('skipped', String(data.skipped));

if (data.skipped) {
if (skipped) {
core.setOutput('jira-issue-key', '');
core.setOutput('jira-issue-url', '');
core.info(`Skipped (${data.skipReason}): ${data.analysisSummary}`);
} else {
if (!data.jiraIssueKey || !data.jiraIssueUrl) {
throw new Error('Worker returned success but missing Jira issue key/url');
}
core.setOutput('jira-issue-key', data.jiraIssueKey);
core.setOutput('jira-issue-url', data.jiraIssueUrl);
core.info(`Done! Jira issue created: ${data.jiraIssueKey} — ${data.jiraIssueUrl}`);
}
} catch (error) {
Expand Down
8 changes: 4 additions & 4 deletions s3-upload/index.js
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion slack-notify-webhook/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"test": "ncc run dist/index.js"
},
"dependencies": {
"@actions/core": "^1.10.1",
"@actions/core": "^2.0.0",
Copy link

@devin-ai-integration devin-ai-integration bot Mar 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 dist/index.js not rebuilt after @actions/core major version bump — security fix has no effect

The package.json bumps @actions/core from ^1.10.1 to ^2.0.0 (intended as a vulnerability fix), but the bundled dist/index.js was not rebuilt. Since action.yml:30 specifies main: 'dist/index.js', GitHub Actions runs the bundled file, which still contains the old @actions/core v1.x code. The vulnerability fix therefore has no runtime effect — the action continues to use the old, vulnerable dependencies (undici@^5.25.4, @actions/http-client@^2.0.1). Additionally, slack-notify-webhook is not listed in the repo's build.sh, so automated builds won't pick it up either.

Prompt for agents 
After updating the dependency in slack-notify-webhook/package.json, you need to rebuild the dist bundle so the fix actually takes effect at runtime. Run the following from the slack-notify-webhook directory:

yarn install
yarn build

This executes `ncc build src/index.js -m -o ./dist/` (as defined in package.json scripts) and produces an updated dist/index.js that bundles the new @actions/core v2 and its transitive dependencies.

Also consider adding slack-notify-webhook to the repo-level build.sh so future builds are automated. The build.sh at the repo root currently does not include slack-notify-webhook in its array of folders to build.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

"axios": "^1.6.7",
"needle": "^2.8.0"
},
Expand Down
52 changes: 26 additions & 26 deletions slack-notify-webhook/yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,33 @@
# yarn lockfile v1


"@actions/core@^1.10.1":
version "1.10.1"
resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.10.1.tgz#61108e7ac40acae95ee36da074fa5850ca4ced8a"
integrity sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==
"@actions/core@^2.0.0":
version "2.0.3"
resolved "https://registry.yarnpkg.com/@actions/core/-/core-2.0.3.tgz#b05e8cf407ab393e5d10282357a74e1ee2315eee"
integrity sha512-Od9Thc3T1mQJYddvVPM4QGiLUewdh+3txmDYHHxoNdkqysR1MbCT+rFOtNUxYAz+7+6RIsqipVahY2GJqGPyxA==
dependencies:
"@actions/http-client" "^2.0.1"
uuid "^8.3.2"
"@actions/exec" "^2.0.0"
"@actions/http-client" "^3.0.2"

"@actions/http-client@^2.0.1":
version "2.2.1"
resolved "https://registry.yarnpkg.com/@actions/http-client/-/http-client-2.2.1.tgz#ed3fe7a5a6d317ac1d39886b0bb999ded229bb38"
integrity sha512-KhC/cZsq7f8I4LfZSJKgCvEwfkE8o1538VoBeoGzokVLLnbFDEAdFD3UhoMklxo2un9NJVBdANOresx7vTHlHw==
"@actions/exec@^2.0.0":
version "2.0.0"
resolved "https://registry.yarnpkg.com/@actions/exec/-/exec-2.0.0.tgz#35e829723389f80e362ec2cc415697ec74362ad8"
integrity sha512-k8ngrX2voJ/RIN6r9xB82NVqKpnMRtxDoiO+g3olkIUpQNqjArXrCQceduQZCQj3P3xm32pChRLqRrtXTlqhIw==
dependencies:
"@actions/io" "^2.0.0"

"@actions/http-client@^3.0.2":
version "3.0.2"
resolved "https://registry.yarnpkg.com/@actions/http-client/-/http-client-3.0.2.tgz#3db9c83af9d29d51ac8c30b45bc17f7014beb1b2"
integrity sha512-JP38FYYpyqvUsz+Igqlc/JG6YO9PaKuvqjM3iGvaLqFnJ7TFmcLyy2IDrY0bI0qCQug8E9K+elv5ZNfw62ZJzA==
dependencies:
tunnel "^0.0.6"
undici "^5.25.4"
undici "^6.23.0"

"@fastify/busboy@^2.0.0":
version "2.1.1"
resolved "https://registry.yarnpkg.com/@fastify/busboy/-/busboy-2.1.1.tgz#b9da6a878a371829a0502c9b6c1c143ef6663f4d"
integrity sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==
"@actions/io@^2.0.0":
version "2.0.0"
resolved "https://registry.yarnpkg.com/@actions/io/-/io-2.0.0.tgz#3ad1271ba3cd515324f2215e8d4c1c0c3864d65b"
integrity sha512-Jv33IN09XLO+0HS79aaODsvIRyduiF7NY/F6LYeK5oeUmrsz7aFdRphQjFoESF4jS7lMauDOttKALcpapVDIAg==

"@vercel/ncc@^0.34.0":
version "0.34.0"
Expand Down Expand Up @@ -128,14 +135,7 @@ tunnel@^0.0.6:
resolved "https://registry.yarnpkg.com/tunnel/-/tunnel-0.0.6.tgz#72f1314b34a5b192db012324df2cc587ca47f92c"
integrity sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==

undici@^5.25.4:
version "5.28.3"
resolved "https://registry.yarnpkg.com/undici/-/undici-5.28.3.tgz#a731e0eff2c3fcfd41c1169a869062be222d1e5b"
integrity sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==
dependencies:
"@fastify/busboy" "^2.0.0"

uuid@^8.3.2:
version "8.3.2"
resolved "https://registry.yarnpkg.com/uuid/-/uuid-8.3.2.tgz#80d5b5ced271bb9af6c445f21a1a04c606cefbe2"
integrity sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==
undici@^6.23.0:
version "6.24.1"
resolved "https://registry.yarnpkg.com/undici/-/undici-6.24.1.tgz#9df1425cede20b836d95634347946f79578b7e71"
integrity sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==
Loading