Possible Bump Needed in actions/core

[oliveirafilipe]

Hi Folks!

As you guys at Github may know, there is a security vulnerability involving add-path and set-env.

The recommended is:

For now, users should upgrade to @actions/core v1.2.6 or later, and replace any instance of the set-env or add-path commands in their workflows with the new Environment File Syntax.

Is there any reason why this action is still using an old version of @actions/core?

checkout/package.json

Line 29 in 5a4ac90

"@actions/core": "^1.1.3",

checkout/package-lock.json

Lines 6 to 11 in 5a4ac90

	"dependencies": {
	"@actions/core": {
	"version": "1.1.3",
	"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.1.3.tgz",
	"integrity": "sha512-2BIib53Jh4Cfm+1XNuZYYGTeRo8yiWEAUMoliMh1qQGMaqTF4VUlhhcsBylTu4qWmUx45DrY0y0XskimAHSqhw=="
	},

[oliveirafilipe]

Sorry guys, I didn't see that there is already an PR with this bump: #361

[peaceiris]

Actually, the actions/checkout does not use the core.addPath and core.exportVariable so I do not think this action throws the error message. Maybe, you need to check which action returns the message. See also #383 (comment)

[oliveirafilipe]

Hi @peaceiris , indeed this action does not use the core.addPath and core.exportVariable. I was just reviewing all the actions in my pipeline and seeing if they already had updated their action/core version since it is a very important patch.

Since there is already an PR with this bump, I will close this issue.