Skip to content

fix: security vulnerability #277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: security vulnerability #277

wants to merge 1 commit into from

Conversation

manisha1997
Copy link
Contributor

Fixes

undici 5.25.4 has vulnerability https://security.snyk.io/package/npm/undici/5.28.4
This will do a forced upgradation to 5.28.5 version.

Checklist

  • I acknowledge that all my contributions will be made under the project's license
  • I have made a material change to the repo (functionality, testing, spelling, grammar)
  • I have read the Contribution Guidelines and my PR follows them
  • I have titled the PR appropriately
  • I have updated my branch with the main branch
  • I have added tests that prove my fix is effective or that my feature works
  • I have added the necessary documentation about the functionality in the appropriate .md file
  • I have added inline documentation to the code I modified

If you have questions, please file a support ticket, or create a GitHub Issue in this repository.

tiwarishubham635
tiwarishubham635 requested changes Jun 4, 2025
View reviewed changes
package.json
"overrides": {
"@actions/core": {
"@actions/http-client": {
"undici": "5.25.5"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to put 5.28.5 over here?

Copy link
Contributor Author

@manisha1997 manisha1997 Jun 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes
This forces npm install to install the version 5.25.5 for undici dependency of http-client of actions/core

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, can we instead use version 5.29.0 which has no direct vulnerabilities?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes This forces npm install to install the version 5.25.5 for undici dependency of http-client of actions/core

Should it be 5.25.5 or 5.28.5? Coz I can see that this vulnerability exists for versions < 5.28.5

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Jun 4, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiwarishubham635 tiwarishubham635 tiwarishubham635 requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@manisha1997 @tiwarishubham635