⬆️ Updates @actions/core to v1.9.1 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@actions/core (source)	1.2.6 -> 1.9.1

GitHub Vulnerability Alerts

CVE-2022-35954

Impact

The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author.

Patches

Users should upgrade to @actions/core v1.9.1.

Workarounds

If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

References

More information about setting-an-environment-variable in workflows

If you have any questions or comments about this advisory:

• Open an issue in actions/toolkit

---

Release Notes

actions/toolkit (@​actions/core)

v1.9.1

• Randomize delimiter when calling core.exportVariable

v1.9.0

• Added toPosixPath, toWin32Path and toPlatformPath utilities #​1102

v1.8.2

• Update to v2.0.1 of @actions/http-client #​1087

v1.8.1

• Update to v2.0.0 of @actions/http-client

v1.8.0

• Deprecate markdownSummary extension export in favor of summary
  • https://github.com/actions/toolkit/pull/1072
  • https://github.com/actions/toolkit/pull/1073

v1.7.0

• Added markdownSummary extension

v1.6.0

• Added OIDC Client function getIDToken
• Added file parameter to AnnotationProperties

v1.5.0

• Added support for notice annotations and more annotation fields

v1.4.0

• Added the getMultilineInput function

v1.3.0

• Added the trimWhitespace option to getInput
• Added the getBooleanInput function

v1.2.7

• Prepend newline for set-output

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks

[changelogg]

Hey! Changelogs info seems to be missing or might be in incorrect format.
Please use the below template in PR description to ensure Changelogg can detect your changes:
- (tag) changelog_text
or
- tag: changelog_text
OR
You can add tag in PR header or while doing a commit too
(tag) PR header
or
tag: PR header
Valid tags: added / feat, changed, deprecated, fixed / fix, removed, security, build, ci, chore, docs, perf, refactor, revert, style, test
Thanks!
For more info, check out changelogg docs

[viezly]

Pull request by bot. No need to analyze

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

[github-actions]

Thanks for the PR!

This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.

[github-actions]

🏷️ [bumpr] Next version:v2.0.2 Changes:v2.0.1...AlexRogalskiy:renovate/npm-@actions/core-vulnerability

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
@actions/core	1.2.6...1.9.1	network, filesystem, environment	+4/-0	1.46 MB	thboop