Description:
Hi. We have a vulnerabilities report on @actions/glob about ReDoS in this repo due to the package is being used in this repo and @action/cache. I have a PR here to address on this issue (originated from actions/toolkit#2057).
- The PR stated is for addressing the issue.
- Once PR is merged, requires
@actions/glob to release a new version.
- Update
@actions/cache to use the version with this fix (dependabot will be able to create this orI can help to create a PR)
- Update @actions/setup-node to bump @actions/glob and @actions/cache with the ReDoS vulnerabilities fix (dependabot will be able to create this orI can help to create a PR)
The tricky part is @actions/cache latest version is ESM-only. This will require for a patch on 5.x so that @actions/setup-node can bump the version with minimum changes.
Justification:
Are you willing to submit a PR?
Yes.
Description:
Hi. We have a vulnerabilities report on
@actions/globabout ReDoS in this repo due to the package is being used in this repo and@action/cache. I have a PR here to address on this issue (originated from actions/toolkit#2057).@actions/globto release a new version.@actions/cacheto use the version with this fix (dependabot will be able to create this orI can help to create a PR)The tricky part is
@actions/cachelatest version is ESM-only. This will require for a patch on 5.x so that@actions/setup-nodecan bump the version with minimum changes.Justification:
Are you willing to submit a PR?
Yes.