How to upgrade @actions/core?

Hi. I have a question related to a recent vulnerability found in Github Actions core.

This link describing a young vulnerability found in Github Actions suggests me to upgrade @actions/core. Is it related to people developing actions on the Marketplace or to people writing their workflow scripts? If second, how do I upgrade the core my actions are running on?

Am I able to force my actions to work on a deprecated core (i. e. keep using the vulnerable version) even if the default core used by actions is younger than the core I want to use?

Thanks in advance!

It’s up to the action developers to bump their dependencies and release new versions of their actions in almost all cases.

Even if you use github-script to write “inline actions”, its maintainers need to npm update to use the most recent @actions/core. Dependabot created automated PRs for official actions, but many are not merged yet.

The only exception that comes to mind is if you use @actions/core directly somehow, although I’m not sure how that would look like. In that case you should specify the latest version, or just the major version number to always use the latest with the same major version number (which should not receive any breaking changes).

1 Like