build(deps): bump pnpm/action-setup from 2.2.4 to 2.3.0 #5839
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 2.2.4 to 2.3.0. - [Release notes](https://github.com/pnpm/action-setup/releases) - [Commits](pnpm/action-setup@v2.2.4...v2.3.0) --- updated-dependencies: - dependency-name: pnpm/action-setup dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
dependencies
github_actions
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| @@ -55,7 +55,7 @@ jobs: | |||
| server-id: ossrh | |||
| server-username: ${{ secrets.OSSRH_USERNAME }} | |||
| server-password: ${{ secrets.OSSRH_TOKEN }} | |||
| - uses: pnpm/action-setup@v2.2.4 | |||
| - uses: pnpm/action-setup@v2.3.0 | |||
There was a problem hiding this comment.
Reporter: Sarif
Rule: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha
Severity: WARN
File: .github/workflows/build.yml L58
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. For additional help see: An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. <b>References:</b> - Semgrep Rule - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
| @@ -68,7 +68,7 @@ jobs: | |||
| with: | |||
| java-version: 8 | |||
| distribution: 'zulu' | |||
| - uses: pnpm/action-setup@v2.2.4 | |||
| - uses: pnpm/action-setup@v2.3.0 | |||
There was a problem hiding this comment.
Reporter: Sarif
Rule: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha
Severity: WARN
File: .github/workflows/pull_requests.yml L71
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. For additional help see: An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. <b>References:</b> - Semgrep Rule - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
| @@ -31,7 +31,7 @@ jobs: | |||
| with: | |||
| java-version: 8 | |||
| distribution: 'zulu' | |||
| - uses: pnpm/action-setup@v2.2.4 | |||
| - uses: pnpm/action-setup@v2.3.0 | |||
There was a problem hiding this comment.
Reporter: Sarif
Rule: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha
Severity: WARN
File: .github/workflows/pull_requests.yml L34
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. For additional help see: An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. <b>References:</b> - Semgrep Rule - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
| @@ -57,7 +57,7 @@ jobs: | |||
| server-id: ossrh | |||
| server-username: ${{ secrets.OSSRH_USERNAME }} | |||
| server-password: ${{ secrets.OSSRH_TOKEN }} | |||
| - uses: pnpm/action-setup@v2.2.4 | |||
| - uses: pnpm/action-setup@v2.3.0 | |||
There was a problem hiding this comment.
Reporter: Sarif
Rule: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha
Severity: WARN
File: .github/workflows/release.yml L60
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. For additional help see: An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. <b>References:</b> - Semgrep Rule - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
|
Superseded by #5842. |
dependabot
bot
deleted the
dependabot/github_actions/pnpm/action-setup-2.3.0
branch
Bumps pnpm/action-setup from 2.2.4 to 2.3.0.
Release notes
Sourced from pnpm/action-setup's releases.
Commits
0b715c7Merge pull request #75 from ojeytonwilliams/fix/caching-example2ed49cbMerge pull request #88 from KengoTODA/make-path-configurable218cb35Merge pull request #69 from zakuro9715/zakuro9715-patch-23723f63Merge pull request #90 from pnpm/optional-version849d884feat: make version actually optionalf92eb0edocs: update pnpm version in readmeb27f801feat: add package_json_file option11dd14dChange sponsor to pnpm's opencollective61eb8c6docs: update the caching example65db188Remove corepack url in error messageDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)