fix: Resolve CVE-2025-25288 by migrating to ESM and upgrading depende… #104
Conversation
…ncies - Upgrade @actions/github to 6.0.1 and @octokit/rest to 22.0.1 to fix ReDoS vulnerability - Migrate source code to ESM (import/export syntax) - Replace Jest with Vitest and ncc with esbuild - Change bundle output to .cjs extension for proper CommonJS handling - All tests passing, no breaking changes to action interface
CodeQL Flags:This is a false positive.The SHA1 usage on line 16377 is in the bundled undici library's WebSocket implementation and is required by RFC 6455 (WebSocket Protocol Standard) for the handshake process. Context: This is protocol compliance, not cryptographic security |
sonamtenzin2
left a comment
sonamtenzin2
left a comment
There was a problem hiding this comment.
Were the files under dist created with build command ?
|
Yes, the files under dist. were created with the build command. |
2 participants
Summary
Resolves CVE-2025-25288 (ReDoS vulnerability in
@octokit/plugin-paginate-rest) by upgrading dependencies and migrating to ESM architecture.Security Fix
@actions/githubto 6.0.1 and@octokit/restto 22.0.1npm audit- vulnerability resolvedKey Changes
Dependencies:
@actions/github: 5.x → 6.0.1@octokit/rest: 19.x → 22.0.1@octokit/plugin-throttling: 4.x → 5.2.3@octokit/plugin-retry: 3.x → 4.1.6Code Modernization:
import/exportsyntax)Testing
Breaking Changes
None - Fully backward compatible:
Verification
Users can continue using the action without any changes to their workflows.
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.