Update actions/cache action to v5

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/cache	action	major	v3 → v5

---

Release Notes

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in #​1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

Compare Source

v5.0.3

Compare Source

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v5

Compare Source

v4.3.0

Compare Source

What's Changed

• Add note on runner versions by @​GhadimiR in #​1642
• Prepare v4.3.0 release by @​Link- in #​1655

New Contributors

• @​GhadimiR made their first contribution in #​1642

Full Changelog: actions/cache@v4...v4.3.0

v4.2.4

Compare Source

What's Changed

• Update README.md by @​nebuk89 in #​1620
• Upgrade @actions/cache to 4.0.5 and move @protobuf-ts/plugin to dev depdencies by @​Link- in #​1634
• Prepare release 4.2.4 by @​Link- in #​1636

New Contributors

• @​nebuk89 made their first contribution in #​1620

Full Changelog: actions/cache@v4...v4.2.4

v4.2.3

Compare Source

What's Changed

• Update to use @​actions/cache 4.0.3 package & prepare for new release by @​salmanmkc in #​1577 (SAS tokens for cache entries are now masked in debug logs)

New Contributors

• @​salmanmkc made their first contribution in #​1577

Full Changelog: actions/cache@v4.2.2...v4.2.3

v4.2.2

Compare Source

What's Changed

[!IMPORTANT]
As a reminder, there were important backend changes to release v4.2.0, see those release notes and the announcement for more details.

• Bump @​actions/cache to v4.0.2 by @​robherley in #​1560

Full Changelog: actions/cache@v4.2.1...v4.2.2

v4.2.1

Compare Source

What's Changed

[!IMPORTANT]
As a reminder, there were important backend changes to release v4.2.0, see those release notes and the announcement for more details.

• docs: GitHub is spelled incorrectly in caching-strategies.md by @​janco-absa in #​1526
• docs: Make the "always save prime numbers" example more clear by @​Tobbe in #​1525
• Update force deletion docs due a recent deprecation by @​sebbalex in #​1500
• Bump @​actions/cache to v4.0.1 by @​robherley in #​1554

New Contributors

• @​janco-absa made their first contribution in #​1526
• @​Tobbe made their first contribution in #​1525
• @​sebbalex made their first contribution in #​1500

Full Changelog: actions/cache@v4.2.0...v4.2.1

v4.2.0

Compare Source

⚠️ Important Changes

The cache backend service has been rewritten from the ground up for improved performance and reliability. actions/cache now integrates with the new cache service (v2) APIs.

The new service will gradually roll out as of February 1st, 2025. The legacy service will also be sunset on the same date. Changes in these release are fully backward compatible.

We are deprecating some versions of this action. We recommend upgrading to version v4 or v3 as soon as possible before February 1st, 2025. (Upgrade instructions below).

If you are using pinned SHAs, please use the SHAs of versions v4.2.0 or v3.4.0

If you do not upgrade, all workflow runs using any of the deprecated actions/cache will fail.

Upgrading to the recommended versions will not break your workflows.

Read more about the change & access the migration guide: reference to the announcement.

Minor changes

Minor and patch version updates for these dependencies:

• @​actions/core: 1.11.1
• @​actions/io: 1.1.3
• @​vercel/ncc: 0.38.3

Full Changelog: actions/cache@v4.1.2...v4.2.0

v4.1.2

Compare Source

What's Changed

• Add Bun example by @​idleberg in #​1456
• Revise isGhes logic by @​jww3 in #​1474
• Bump braces from 3.0.2 to 3.0.3 by @​dependabot in #​1475
• Add dependabot.yml to enable automatic dependency upgrades by @​Link- in #​1476
• Bump actions/checkout from 3 to 4 by @​dependabot in #​1478
• Bump actions/stale from 3 to 9 by @​dependabot in #​1479
• Bump github/codeql-action from 2 to 3 by @​dependabot in #​1483
• Bump actions/setup-node from 3 to 4 by @​dependabot in #​1481
• Prepare 4.1.2 release by @​Link- in #​1477

New Contributors

• @​idleberg made their first contribution in #​1456
• @​jww3 made their first contribution in #​1474
• @​Link- made their first contribution in #​1476

Full Changelog: actions/cache@v4.1.1...v4.1.2

v4.1.1

Compare Source

What's Changed

• Restore original behavior of cache-hit output by @​joshmgross in #​1467

Full Changelog: actions/cache@v4.1.0...v4.1.1

v4.1.0

Compare Source

What's Changed

• Fix cache-hit output when cache missed by @​fchimpan in #​1404
• Deprecate save-always input by @​joshmgross in #​1452

New Contributors

• @​ottlinger made their first contribution in #​1437
• @​Olegt0rr made their first contribution in #​1377
• @​fchimpan made their first contribution in #​1404
• @​x612skm made their first contribution in #​1434
• @​todgru made their first contribution in #​1311
• @​Jcambass made their first contribution in #​1463
• @​mackey0225 made their first contribution in #​1462
• @​quatquatt made their first contribution in #​1445

Full Changelog: actions/cache@v4.0.2...v4.1.0

v4.0.2

Compare Source

What's Changed

• Fix fail-on-cache-miss not working by @​cdce8p in #​1327

Full Changelog: actions/cache@v4.0.1...v4.0.2

v4.0.1

Compare Source

What's Changed

• Update README.md by @​yacaovsnc in #​1304
• Update examples by @​yacaovsnc in #​1305
• Update actions/cache publish flow by @​bethanyj28 in #​1340
• Update @​actions/cache by @​bethanyj28 in #​1341

New Contributors

• @​yacaovsnc made their first contribution in #​1304

Full Changelog: actions/cache@v4...v4.0.1

v4.0.0

Compare Source

What's Changed

• Update action to node20 by @​takost in #​1284
• feat: save-always flag by @​to-s in #​1242

New Contributors

• @​takost made their first contribution in #​1284
• @​to-s made their first contribution in #​1242

Full Changelog: actions/cache@v3...v4.0.0

v4

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[netlify]

❌ Deploy Preview for halo-universe failed. Why did it fail? →

Name	Link
🔨 Latest commit	0b903e6
🔍 Latest deploy log	https://app.netlify.com/projects/halo-universe/deploys/69403c5bd2ec0a0008eeefb5

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: npm ejs template injection vulnerability CVE: GHSA-phwq-j96m-2c2q ejs template injection vulnerability (CRITICAL) Affected versions: < 3.1.7 Patched version: 3.1.7 From: ? → npm/ejs@2.7.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ejs@2.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 2.5.4 From: ? → npm/form-data@2.3.3 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@2.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm atob under CC-BY-3.0 License: CC-BY-3.0 - the applicable license policy does not allow this license (4) (package/LICENSE.DOCS) From: ? → npm/atob@2.1.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/atob@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm bcrypt-pbkdf under BSD-3-Clause-HP License: BSD-3-Clause-HP - the applicable license policy does not allow this license (4) (package/LICENSE) From: ? → npm/bcrypt-pbkdf@1.0.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bcrypt-pbkdf@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm buffer is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: ? → npm/buffer@4.9.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/buffer@4.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report