Action need to update to deal with CVE vulnerabilities
Closed this issue ยท 16 comments
@N-Usha or anyone from the team have any update on this? The deadline is now November 16th and this would break our workflows entirely
Thanks for approving @romil07, please could you also merge this and create a new release so that we can use it.
@romil07 @kf6kjg After looking into this, it seems this library is also using an old version of azure-actions-webclient
.
If that doesn't work, that library itself still has @actions/core
as version ^1.1.3
in its own package.json, so I think to fully mitigate this the azure-actions-webclient
package will need to be upgraded and released, then this library will have to consume that new change
I was able to get this fixed in our fork. [EDIT: and it only needed the patch in #13 to do it, along with the following release strategy.] The release processes here are a little strange: the release branches, where the tag is placed, have to have the fully updated node_modules folder committed.
To build I did this:
-
Create new
releases/v*
branch or move the existing. I did the latter. -
Execute the following:
npm ci npm run build git add -f node_modules AND_EVERYTHING_ELSE_THATS_UPDATED
Note that the above is from memory so YMMV: my bash history didn't store my actions for some reason and I didn't write them down.
-
Commit the added changes and push the branch.
-
Tag the branch with the relevant version tags.
Note that if you are creatingv1.2.3
you'll need to make sure that the commit has the bothv1
andv1.2
tags - even if you have to move the tags from their previous location. This is due to how GH Actions references versions: it only looks for the exact tag if that tag exists.
There are probably better strategies, but I was working off of reverse engineering the first release, not making it better.
I see that you've got the tags and branch in place. However I also see that you've not yet committed the updated node_modules folder to the release branch. Until that happens it'll continue to use the old version of @actions/core
and show the error.
@romil07 Any updates on when the new release is going to be pushed? This is breaking all my pipelines now.
@brianleppez I am working on this. Will do it today.
@brianleppez @kf6kjg @dakota-maker-by @surfraz @N-Usha @gabriel-kohen-by
I have made the required changes. Can you please test again and let us know if any issues?
@romil07 working now, thanks
We're facing the same error, do you know if we need to explicitly update the Action to use v1.1, or will it pick it up automatically?
@anpaz As long as your uses
line ends with @v1
it should pick it up automatically. If you specified @v1.0
you'll have to change it explicitly.
Thanks @romil07. Works like a charm
thanks @romil07. It worked.
Closing as this is fixed.