action-allowlist-review: bump browser-actions/setup-firefox from 1.7.1 to 1.7.2 in /.github/actions/for-dependabot-triggered-reviews#813
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
|
Comparing the old and new versions, the index.js for the new version is dramatically larger (8K lines to 35K lines) without an obvious commit. Without digging too deeply, it seems like updating dev dependencies may have inlined a lot of new code. Looking at GitHub metrics, this action seems fairly obscure (stars, forks etc), though the commits that have been applied since 1.7.1 look sensible. It's only the surprise leap in built index.js that raises the eyebrow. |
potiuk
left a comment
potiuk
left a comment
There was a problem hiding this comment.
Marking it as suspicious.
I do not like this action:
- Huge changes in single commit (40K changes)
- Single-person shop releasing those browser actions
I am running analyze skill on it
|
I ran verify-action-build against this dependabot bump and the only failure is That Fix in flight at #816 — once that merges, re-trigger CI here and |
The check already skips bare-config pyproject.toml and require-less
go.mod. Mirror that for package.json with no dependencies — the case
that release-please-style bundled action tags ship (a self-contained
index.js next to a minimal {"type": "module"}). browser-actions/
setup-firefox v1.7.2 (PR #813) hits this; v1.7.0 / v1.7.1 were
approved before the lock-file check landed.
|
@dependabot rebase |
Bumps [browser-actions/setup-firefox](https://github.com/browser-actions/setup-firefox) from 1.7.1 to 1.7.2. - [Release notes](https://github.com/browser-actions/setup-firefox/releases) - [Changelog](https://github.com/browser-actions/setup-firefox/blob/master/CHANGELOG.md) - [Commits](browser-actions/setup-firefox@fcf821c...0bc507d) --- updated-dependencies: - dependency-name: browser-actions/setup-firefox dependency-version: 1.7.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/browser-actions/setup-firefox-1.7.2
branch
from
8c73bdf to
6b0f5d6
Compare
potiuk
left a comment
potiuk
left a comment
There was a problem hiding this comment.
Comparing the old and new versions, the index.js for the new version is dramatically larger (8K lines to 35K lines) without an obvious commit. Without digging too deeply, it seems like updating dev dependencies may have inlined a lot of new code. Looking at GitHub metrics, this action seems fairly obscure (stars, forks etc), though the commits that have been applied since 1.7.1 look sensible. It's only the surprise leap in built index.js that raises the eyebrow.
Ok. The "verify" passes now - it correctly detects that the .js in the action is not compiled but comes from the commit. And being orphan branch stripped from everything else - we definitely need to take a closer look and possibly run deeper inspection with agent.... tomorrow.
2 participants
Bumps browser-actions/setup-firefox from 1.7.1 to 1.7.2.
Release notes
Sourced from browser-actions/setup-firefox's releases.
Changelog
Sourced from browser-actions/setup-firefox's changelog.
... (truncated)
Commits
0bc507dRelease v1.7.2 at b2420b5fc5c9410c3bb4558ea29f202e52b4f41e