Please enable Dependabot on this project and fix the vulnerable dependencies used #184

rajbos · 2022-08-18T13:01:38Z

We want to onboard this project and always run a security scan on the action. One of the steps is forking the action and enabling Dependabot to see what it finds.

In this case it found a lot of vulnerable dependencies 😢. Could you enable Dependabot and let it propose fixes for the vulnerable dependencies it found. It's free for public repos and will keep your dependencies up to date if you let it.

Happy to help if needed.

dorny · 2022-08-18T21:44:08Z

Hi @rajbos,
I'm going to update all dependencies manually and then I will enable dependabot together with auto-merge on a successful CI run. Currently, there are many outdated dependencies because I was not maintaining the project for more than a year. Just getting back to it...

Just be aware when you are using this, or any other action based on the typescript-action template, you are only running the dist/index.js file committed in the repo. I will update it always when releasing a new version (git tag). So even after the dependabot PR will be merged, the updated dependency won't be used until there's a new release.

Anyway, I would say the security vulnerabilities are not that critical when you are running the code in a sandbox environment and only against your own input.

If I run into some issues with updates, help will be appreciated :)

rajbos · 2022-08-22T08:26:09Z

Thanks., will wait for those fixes.

Do note: while only the dist/index.js is being executed, the whole repository is downloaded to the runner and then executed. That action code is still on disk for the entire duration of the job, so it can potentially be misused by triggering it from that end. Lot's of opportunity for entry points, although a lot of them will probably be convoluted 😏.

That's why we check all of this before on-boarding the action into our setup 🔬 .

dorny · 2022-08-23T21:28:31Z

I've managed to update almost all dependencies to the latest version. Security vulnerabilities should be fixed now. Dependabot and a new release will be next.

@rajbos I've run into a strange issue, that cost me some time. Maybe you can help me understand it?

got@v12.x has a dependency on @sindresorhus/is@v5.x and it uses the optional chaining operator ?..
Probably due to the issue vercel/ncc#873 this syntax got into our dist/index.js.
The part I don't understand is - why the heck it caused an error on GitHub runner with node version 16.17?
Optional chaining operators are supported for some time. I had to downgrade got back to v11.x to move forward. Luckily that version has no known vulnerabilities.

rajbos · 2022-08-24T07:27:46Z

Hmm, I'm not to much into how that works.

Have you checked if downgrade the node version on the runners with the actions/setup-node action helps?
If it works on your dev-env, are you on the same node version?

dorny mentioned this issue Aug 19, 2022

Update all dependencies to latest versions #186

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Please enable Dependabot on this project and fix the vulnerable dependencies used #184

Please enable Dependabot on this project and fix the vulnerable dependencies used #184

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Please enable Dependabot on this project and fix the vulnerable dependencies used #184

Please enable Dependabot on this project and fix the vulnerable dependencies used #184

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!