chore: migrate to PNPM #1793
chore: migrate to PNPM #1793
Conversation
chris-olszewski
force-pushed
the
olszewski/pnpm
branch
5 times, most recently
from
cd61082 to
d5cd111
Compare
chris-olszewski
force-pushed
the
olszewski/pnpm
branch
from
d5cd111 to
f4b7186
Compare
![semgrep-managed-scans[bot]](https://avatars.githubusercontent.com/u/56493103?s=60&v=4){kind=small}
| run: | | ||
| npx vercel deploy packages/docs/build \ | ||
| pnpm dlx vercel deploy packages/docs/build \ | ||
| -t '${{ secrets.VERCEL_TOKEN }}' \ | ||
| --yes \ | ||
| ${{ inputs.publish_target == 'prod' && '--prod' || '' }} |
There was a problem hiding this comment.
Semgrep identified a blocking 🔴 issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
What was changed
Why?
Checklist
Closes
How was this tested: