Skip to content

fix: bump undici, sigstore, picomatch and ip-address to fix security vulnerabilities#20

Merged
zenblender merged 1 commit into
masterfrom
sb-deps-070926
Jul 9, 2026
Merged

fix: bump undici, sigstore, picomatch and ip-address to fix security vulnerabilities#20
zenblender merged 1 commit into
masterfrom
sb-deps-070926

Conversation

@zenblender

Copy link
Copy Markdown

Summary

Fixes security vulnerabilities in four transitive dependencies. No overrides entries were needed — all fixes are represented in package.json/package-lock.json normally.

Package Before After Advisories fixed
undici 5.29.0 / 7.19.1 6.27.0 / 7.28.0 request smuggling, CRLF injection, response queue poisoning, WebSocket DoS, etc.
sigstore (bundled in npm) 4.1.0 4.1.1 certificateOIDs verification constraints silently dropped
picomatch 2.3.1 / 4.0.3 2.3.2 / 4.0.4–4.0.5 POSIX character class method injection, extglob ReDoS
ip-address (bundled in npm) 10.1.0 10.2.0 XSS in Address6 HTML-emitting methods

Changes

  • package.json: @actions/core ^1.10.0^2.0.3. This was required because every undici 5.x release is vulnerable and @actions/core@1.x pins @actions/http-client@^2undici@^5, so no lockfile-only fix existed. v2.0.3 is still CommonJS (v3 is ESM-only), runs on the node20 action runtime, and the APIs used here (getInput, debug, error, warning, info, setOutput, exportVariable) are unchanged.
  • package-lock.json (lockfile-only, all within existing semver ranges):
    • undici 7.19.1 → 7.28.0 (under @semantic-release/github)
    • picomatch 2.3.1 → 2.3.2 and 4.0.3 → 4.0.5
    • @semantic-release/npm 13.1.2 → 13.1.5 (removes the last nested @actions/core@1.x → undici@5 path)
    • npm 11.11.1 → 11.18.0 — sigstore and ip-address only exist as bundled dependencies inside the npm package, so they cannot be patched via overrides; bumping npm is the correct fix
  • dist/index.js: regenerated by the prepare (ncc) script so the committed action bundle ships the patched undici.

Verification

  • npm audit no longer reports undici, sigstore, picomatch, or ip-address
  • Lockfile is stable: deleted node_modules, reinstalled, byte-identical package-lock.json
  • Tests pass, ncc build succeeds, and the bundled dist/index.js loads correctly

@zenblender zenblender requested a review from nsimonson July 9, 2026 17:05
@zenblender zenblender marked this pull request as ready for review July 9, 2026 17:05
@zenblender zenblender merged commit fd58a0f into master Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants