Skip to content

Bump @actions/core from 1.11.1 to 2.0.3#104

Merged
mcdonnnj merged 1 commit intodevelopfrom
dependencies/npm/actions/core-2.0.3
Mar 3, 2026
Merged

Bump @actions/core from 1.11.1 to 2.0.3#104
mcdonnnj merged 1 commit intodevelopfrom
dependencies/npm/actions/core-2.0.3

Conversation

@mcdonnnj
Copy link
Member

@mcdonnnj mcdonnnj commented Mar 3, 2026

🗣 Description

This pull request bumps the @actions/core dependency to a newer version while staying behind v3 as in #101.

💭 Motivation and context

It's good to update dependencies, but 3.0.0 of this package is ESM-only. This would required multiple changes to this action to support that change, possibly event converting this action into an ECMAScript module itself. I would rather punt on that for now but still update to a more recent version.

🧪 Testing

Automated tests pass.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

@mcdonnnj mcdonnnj self-assigned this Mar 3, 2026
@mcdonnnj mcdonnnj requested review from dav3r, felddy and jsf9k as code owners March 3, 2026 20:35
@mcdonnnj mcdonnnj requested a review from Copilot March 3, 2026 20:35
@github-actions github-actions bot added version bump This issue or pull request increments the version number dependencies Pull requests that update a dependency file labels Mar 3, 2026
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the GitHub Action’s @actions/core dependency to the latest 2.x release to get a newer toolkit version while avoiding the ESM-only breaking change in v3.

Changes:

  • Bump @actions/core from ^1.11.1 to ^2.0.3 in package.json.
  • Update package-lock.json to reflect the new dependency graph (including hoisting/removal of now-unneeded nested copies).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Updates the direct dependency on @actions/core to ^2.0.3.
package-lock.json Regenerates the lockfile to match the new @actions/core version and its transitive dependencies.
Comments suppressed due to low confidence (1)

package.json:8

  • This repo runs the Action from the committed dist/index.js (see action.yml), but this PR only updates package.json/package-lock.json. After bumping @actions/core, the dist/ bundle should be regenerated (e.g., via the existing npm run package) and the updated dist/index.js, sourcemap, and licenses.txt committed; otherwise the published Action will still execute the old bundled dependency versions.
  "dependencies": {
    "@actions/core": "^2.0.3"
  },

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mcdonnnj mcdonnnj enabled auto-merge March 3, 2026 20:38
@mcdonnnj mcdonnnj merged commit 07e00b3 into develop Mar 3, 2026
17 checks passed
@mcdonnnj mcdonnnj deleted the dependencies/npm/actions/core-2.0.3 branch March 3, 2026 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jsf9k jsf9k jsf9k approved these changes

@dav3r dav3r dav3r approved these changes

@felddy felddy Awaiting requested review from felddy felddy is a code owner

Assignees

@mcdonnnj mcdonnnj

Labels

dependencies Pull requests that update a dependency file version bump This issue or pull request increments the version number

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mcdonnnj @jsf9k @dav3r