mirror of
https://github.com/actions/setup-go.git
synced 2025-12-16 04:32:35 +00:00
1 commit
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Matthew Hughes
|
e75c3e80bc
|
Bump form-data to bring in fix for critical vulnerability (#618)
Some checks failed
Licensed / Licensed (push) Has been cancelled
Validate 'setup-go' / stable (macos-13) (push) Has been cancelled
Validate 'setup-go' / stable (macos-latest) (push) Has been cancelled
Validate 'setup-go' / stable (ubuntu-latest) (push) Has been cancelled
Validate 'setup-go' / stable (windows-latest) (push) Has been cancelled
Validate 'setup-go' / oldstable (macos-13) (push) Has been cancelled
Validate 'setup-go' / oldstable (macos-latest) (push) Has been cancelled
Validate 'setup-go' / oldstable (ubuntu-latest) (push) Has been cancelled
Validate 'setup-go' / oldstable (windows-latest) (push) Has been cancelled
Validate 'setup-go' / aliases-arch (x32, ubuntu-latest, oldstable) (push) Has been cancelled
Validate 'setup-go' / aliases-arch (x32, ubuntu-latest, stable) (push) Has been cancelled
Validate 'setup-go' / aliases-arch (x32, windows-latest, oldstable) (push) Has been cancelled
Validate 'setup-go' / aliases-arch (x32, windows-latest, stable) (push) Has been cancelled
Validate 'setup-go' / aliases-arch (x64, macos-13, oldstable) (push) Has been cancelled
Validate 'setup-go' / aliases-arch (x64, macos-13, stable) (push) Has been cancelled
Validate 'setup-go' / aliases-arch (x64, macos-latest, oldstable) (push) Has been cancelled
Validate 'setup-go' / aliases-arch (x64, macos-latest, stable) (push) Has been cancelled
Validate 'setup-go' / aliases-arch (x64, ubuntu-latest, oldstable) (push) Has been cancelled
Validate 'setup-go' / aliases-arch (x64, ubuntu-latest, stable) (push) Has been cancelled
Validate 'setup-go' / aliases-arch (x64, windows-latest, oldstable) (push) Has been cancelled
Validate 'setup-go' / aliases-arch (x64, windows-latest, stable) (push) Has been cancelled
Validate 'setup-go' / Setup local-cache version (push) Has been cancelled
Validate 'setup-go' / check-latest (1.20, macos-13) (push) Has been cancelled
Validate 'setup-go' / check-latest (1.20, macos-latest) (push) Has been cancelled
Validate 'setup-go' / check-latest (1.20, ubuntu-latest) (push) Has been cancelled
Validate 'setup-go' / check-latest (1.20, windows-latest) (push) Has been cancelled
Validate 'setup-go' / check-latest (1.21, macos-13) (push) Has been cancelled
Validate 'setup-go' / check-latest (1.21, macos-latest) (push) Has been cancelled
Validate Windows installation / Validate if hostedtoolcache works as expected (push) Has been cancelled
Validate Windows installation / Validate if symlink is not created for default go (push) Has been cancelled
The vulnerability:
$ npm audit --audit-level=high
# npm audit report
form-data >=4.0.0 <4.0.4 || <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/@azure/core-http/node_modules/form-data
node_modules/@types/node-fetch/node_modules/form-data
node_modules/form-data
1 critical severity vulnerability
To address all issues, run:
npm audit fix
This change is the result of from running `npm audit fix` and then
using[1] to update licenses via `licensed cache`.
It doesn't look like `dependabot` previously raised any PRs for this
dependency, so this bumps it from `4.0.0` to `4.0.4`, see the
changelog[2] for details.
Link: https://github.com/licensee/licensed [1]
Link: https://github.com/form-data/form-data/blob/v4.0.4/CHANGELOG.md [2]
|
Renamed from .licenses/npm/form-data-2.5.1.dep.yml (Browse further)