Skip to content

Upgrade GitHub Actions packages#6

Merged
jozefizso merged 2 commits intomainfrom
modules
Mar 23, 2026
Merged

Upgrade GitHub Actions packages#6
jozefizso merged 2 commits intomainfrom
modules

Conversation

@jozefizso
Copy link
Copy Markdown
Member

@jozefizso jozefizso commented Mar 23, 2026

Upgrade the @actions/core and @actions/http-client packages to fix security vulnerabilities.

Fixes the npm audit report:

undici  <=6.23.0
Severity: high
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
Undici has CRLF Injection in undici via `upgrade` option - https://github.com/advisories/GHSA-4992-7rv2-5pvq
fix available via `npm audit fix --force`
Will install @actions/http-client@4.0.0, which is a breaking change
node_modules/undici
  @actions/http-client  2.2.0 - 3.0.1
  Depends on vulnerable versions of undici
  node_modules/@actions/http-client

2 vulnerabilities (1 moderate, 1 high)

@jozefizso jozefizso self-assigned this Mar 23, 2026
@jozefizso jozefizso added the enhancement New feature or request label Mar 23, 2026
@jozefizso jozefizso merged commit b50c943 into main Mar 23, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jozefizso jozefizso

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jozefizso