Address CVE-2020-15228 #103
Comments
|
Limited grepping suggests that the issue here isn't in golangci-lint-action's own source code, but rather in one of the dependencies. Seems not unlikely merely bumping the version will resolve this, but I don't JS packaging well enough to track down which dep it is. |
I thought that could be the case as I couldn't find the deprecated commands in this repo either. I'm also unsure how to track this down further. |
|
It is action/core: needs to be 1.2.6 or later https://github.com/golangci/golangci-lint-action/blob/v2/package.json#L29 |
|
Thanks for reporting this issue, I will have a chance to take a look weekend only. PR is much appreciated 💯 |
sayboras
added
dependencies
|
@sayboras it is already fixed at HEAD, so just need a new release I think |
|
Was fixed here #96 |
@tcnghia oh thanks a lot 👍. The testing currently in github action is quite limited, let me do quick check sometime tonight or tomorrow, if it's all good, I will create new release. |
|
Thanks a lot @sayboras |
|
@tcnghia yup, I will plan sometimes for releasing new version v2.2.1 today :) |
|
Thanks a lot!! |
|
v2.2.1 is released https://github.com/golangci/golangci-lint-action/releases/tag/v2.2.1. I have also tested with one of my private repo, seems good. |
|
dependabot is working hard as well golangci/golangci-lint#1447 |
Fixed "The `set-env` command is disabled" sugestion from golangci#103 (comment)
Currently, the action uses the
set-envandadd-pathcommands which have recently been deprecated by Github as remediation to $SUBJECT. They have already been replaced with new mechanisms which offer the same functionality. Please refer to:When running the action users get warnings about the deprecated actions.
The text was updated successfully, but these errors were encountered: