Skip to content

fix: upgrade @actions/github to 8.0.1 and @actions/core to 2.0.3 to resolve undici CVEs#695

Merged
Zee2413 merged 1 commit into
aws-cloudformation:mainfrom
Zee2413:fix/action-undici-upgrade
Mar 30, 2026
Merged

fix: upgrade @actions/github to 8.0.1 and @actions/core to 2.0.3 to resolve undici CVEs#695
Zee2413 merged 1 commit into
aws-cloudformation:mainfrom
Zee2413:fix/action-undici-upgrade

Conversation

@Zee2413
Copy link
Copy Markdown
Contributor

@Zee2413 Zee2413 commented Mar 30, 2026

Summary

Resolves 5 Dependabot alerts for undici in action/ by upgrading production dependencies to versions that use undici@6.24.1.

Vulnerabilities Resolved

CVE Severity Description
CVE-2026-22036 Medium Unbounded decompression chain in HTTP responses via Content-Encoding
CVE-2026-1525 Medium HTTP Request/Response Smuggling
CVE-2026-1526 High Unbounded Memory Consumption in WebSocket permessage-deflate
CVE-2026-1527 Medium CRLF Injection via upgrade option
CVE-2026-2229 High Unhandled Exception in WebSocket Client

Dependency Changes

Package From To
@actions/github 6.0.1 8.0.1
@actions/core 1.11.1 2.0.3
@actions/exec 1.1.1 2.0.0
undici (transitive) 5.29.0 6.24.1

Note: @actions/github@9.0.0 was ESM-only and incompatible with the project's CJS setup. 8.0.1 provides the same undici fix while maintaining CJS compatibility.

Code Changes

  • src/handlePullRequestRun.ts: Added explicit type annotation for Octokit listFiles response (type inference changed in new @octokit/* packages)
  • package.json: Added Jest transformIgnorePatterns to handle ESM transitive dependencies (@octokit/* packages are now ESM)
  • dist/: Rebuilt bundle via npm run package

Verification

  • npm run lint
  • npm test ✅ (20/20 tests passed)
  • npm run package

@Zee2413
fix: upgrade @actions/github to 8.0.1 and @actions/core to 2.0.3 to r…
9069f2b 
…esolve undici CVEs

Upgrade action/ production dependencies to resolve 5 Dependabot alerts
for undici (CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-2229,
CVE-2026-22036):

- @actions/github: 6.0.1 → 8.0.1
- @actions/core: 1.11.1 → 2.0.3
- @actions/exec: 1.1.1 → 2.0.0
- undici: 5.29.0 → 6.24.1

Code changes:
- handlePullRequestRun.ts: add explicit type annotation for Octokit
  listFiles response (type inference changed in new @octokit/*)
- package.json: add Jest transformIgnorePatterns for ESM dependencies
  (@octokit/* packages are now ESM)
- dist/: rebuilt bundle

Verified: npm run lint ✅, npm test ✅ (20/20), npm run package ✅
@Zee2413 Zee2413 merged commit b0fc21f into aws-cloudformation:main Mar 30, 2026
16 checks passed
This was referenced Mar 31, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@satyakigh satyakigh satyakigh approved these changes

@chrisqm-dev chrisqm-dev chrisqm-dev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Zee2413 @satyakigh @chrisqm-dev