fix(deps, deps-dev): update @actions/core to v1.11.1; semantic-release to v24.2.7#9
fix(deps, deps-dev): update @actions/core to v1.11.1; semantic-release to v24.2.7#9BinToss wants to merge 2 commits intofelipecrs:masterfrom
@actions/core to v1.11.1; semantic-release to v24.2.7#9Conversation
Fixes 19 vulnerabilities (1 low, 9 moderate, 9 high) - GHSA-h5c3-5r3r-rr8q - GHSA-rmvr-2pp2-xj38 - GHSA-xx4v-prfh-6cgc - GHSA-v6h2-p8h4-qcjw - GHSA-v6h2-p8h4-qcjw - GHSA-grv7-fg5c-xmjg - GHSA-3xgq-45jj-v275 - GHSA-rc47-6667-2j5j - GHSA-78xj-cgh5-2h22 - GHSA-2p57-rm9w-gvfp - GHSA-952p-6rrq-rcjv - GHSA-c2qf-rxjj-qqgw - GHSA-c2qf-rxjj-qqgw - GHSA-c2qf-rxjj-qqgw - GHSA-f5x3-32g6-xq36
Are you sure about that? semantic-release is a dev dependency in this repo and should therefore not affect projects that depend on it. Also, the version range of @actions/core within this repo already contemplates 1.11.1. You could just update it in your repo by running npm update, no? |
|
Oh. Thank you for reminding me! It slipped my mind while I was troubleshooting a few other, unrelated issues at the time. Pinning to a fixed version should be sufficient, but the mend-bolt bot has yet to acknowledge the change... Regardless, thank you for your time! |
|
P.S. it's odd that this PR's workflow failed where it did. I might look into that, later. |
Yeah, that's weird indeed. I'll look into it. It's nice to update dependencies anyway. |
It seems the issue was caused by Node.js (^20.5.0 | ^18.18.0 | >=24.0.0 ) being required, but the first Node binary in PATH was Node.js 16...which is supposed to be unavailable in Later commits' workflow runs seem to not have the issue... |
2 participants
Fixes 19 vulnerabilities (1 low, 9 moderate, 9 high; as listed by
npm audit)Motivation: These vulnerabilities were being picked up automated security alerts in downstream projects with no auto-resolution available.