[Security] Workflow release.yml is using vulnerable action metcalfc/changelog-generator
akulpillai opened this issue · 1 comments
akulpillai commented
The workflow release.yml is referencing action metcalfc/changelog-generator using references v1.0.0. However this reference is missing the commit 14b159ac83976a0eb274f0a9a6c278c3f1b08e87 which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.
github-actions commented
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.