This repository has been archived by the owner on Dec 20, 2021. It is now read-only.
[Security] Workflow publish-release-build.yml is using vulnerable action peter-evans/create-pull-request #38
Comments
|
Hi @akulpillai thank you for writing in with this. This is an old repository that was created for testing and integration purposes and is no longer used. I will set it to read-only to mitigate any further risks here. Or maybe even delete it. Everything in ExtendedXmlSerializer is in a very "don't fix if not broken" maintenance mode so trying not to touch anything unless absolutely necessary. Thank you again for your concern and report. 🙏 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The workflow publish-release-build.yml is referencing action peter-evans/create-pull-request using references v1. However this reference is missing the commit 9507cdc7ac7c51349ae407533e709b92b594e6d1 which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.
The text was updated successfully, but these errors were encountered: