Skip to content

fix: upgrade actions deps to clear undici vulnerabilities#137

Merged
anurag-stepsecurity merged 2 commits into
mainfrom
fix/ignore-undici-vulns
Jul 10, 2026
Merged

fix: upgrade actions deps to clear undici vulnerabilities#137
anurag-stepsecurity merged 2 commits into
mainfrom
fix/ignore-undici-vulns

Conversation

@anurag-stepsecurity

@anurag-stepsecurity anurag-stepsecurity commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumped @actions/core^2.0.3, @actions/github^8.0.1, @actions/http-client^3.0.2 so the lockfile resolves undici@6.27.0 (fixes all reported undici advisories).
  • Removed the unused @octokit/core override and cleared osv-scanner.toml ignores (no longer needed).
  • Stayed on CommonJS (require + ncc CJS build); did not use npm overrides/resolutions. Rebuilt dist/.

Test plan

  • npm install → 0 vulnerabilities
  • osv-scanner -L package-lock.json → No issues found
  • require('@actions/github'|'@actions/core') smoke test OK
  • npm run build succeeds
  • Public APIs used by the action (getInput/setOutput/getOctokit/request) still present

@anurag-stepsecurity anurag-stepsecurity changed the title fix: ignore non-applicable undici vulnerabilities fix: upgrade actions deps to clear undici vulnerabilities Jul 10, 2026
@anurag-stepsecurity anurag-stepsecurity merged commit 933c532 into main Jul 10, 2026
7 checks passed
@anurag-stepsecurity anurag-stepsecurity deleted the fix/ignore-undici-vulns branch July 10, 2026 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants