bump @actions/core from 1.10.1 to 3.0.0 in /snapshoty/run#522
bump @actions/core from 1.10.1 to 3.0.0 in /snapshoty/run#522dependabot[bot] wants to merge 3 commits intomainfrom
Conversation
dependabot
bot
added
the
changelog:dependencies
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/snapshoty/run/actions/core-3.0.0
branch
from
dc26cc3 to
e19a3d7
Compare
Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.10.1 to 3.0.0. - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) --- updated-dependencies: - dependency-name: "@actions/core" dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
changed the title
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/snapshoty/run/actions/core-3.0.0
branch
from
e19a3d7 to
7820139
Compare
Dependency Update AnalysisSummary:
|
| Check | Result |
|---|---|
| Breaking changes | actions/core 3.0.0 is ESM-only; CommonJS consumers must use dynamic import() |
| Testable in PR | snapshoty/run in this repo |
Changelog highlights (v1.10.1 → v3.0.0)
- Release notes state a breaking change in
3.0.0: ESM-only. - Intermediate major updates include Node 24 alignment and dependency bumps (
actions/http-client,actions/exec). - No explicit CVE IDs / GHSA advisories are listed in release notes for this range.
- Transitive security-relevant surface changed (newer HTTP stack including
undici), but that does not offset the immediate module-format break.
Usage in this repository
snapshoty/run/index.js uses CommonJS import and core APIs:
snapshoty/run/index.js:1→const core = require('@actions/core');snapshoty/run/index.js:7-12→core.getInput(...)snapshoty/run/index.js:30and:40→core.setSecret(...)snapshoty/run/index.js:52→core.isDebug()snapshoty/run/index.js:59→core.setFailed(...)
The action is configured as a Node action (snapshoty/run/action.yml:23-24, using: 'node24', main: 'dist/index.js').
Compatibility assessment (CVE-focused)
- Verified incompatibility: local install/build for
snapshoty/runfails after this bump duringncc buildwith:Package path . is not exported from package ... node_modules/@actions/core``
- Root cause: repository code still uses CommonJS
require('@actions/core'), while v3 is ESM-only. - CVE-focused view:
- No release-note CVE/GHSA entries were identified for this update.
- Internal dependency shifts may preserve or slightly improve baseline HTTP security posture.
- Practical risk here is a functional availability regression (action packaging/runtime break), not an exploitable-security reduction in this repo.
Risk conclusion: high.
Labels Applied
No labels applied. oblt-aw/ai/merge-ready criteria are not met (overall risk is high and breaking change affects current repository usage).
Note
🔒 Integrity filtering filtered 1 item
Integrity filtering activated and filtered the following item during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.
- pr:bump @actions/core from 1.10.1 to 3.0.0 in /snapshoty/run #522 (
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
What is this? | From workflow: Observability Agentic Workflow Entrypoint
Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.
|
@copilot review if the changes will be enough for the snapshoty/run action |
…rebuild dist Agent-Logs-Url: https://github.com/elastic/oblt-actions/sessions/48448714-318b-4c75-a42c-a2429334a937 Co-authored-by: v1v <2871786+v1v@users.noreply.github.com>
The original dependency bump (package.json + package-lock.json) wasn't enough —
Fixed in commit
|
Bumps @actions/core from 1.10.1 to 3.0.0.
Since
@actions/core3.0.0 is now a pure ESM package, the following additional changes were required to make the action fully functional:index.jsfrom CommonJS (require) to ESM (import) syntax"type": "module"topackage.jsonfor...ofloopdist/index.jsusingnccin ESM mode