🚨 [security] Update mocha-github-actions-reporter 0.3.0 → 0.3.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ mocha-github-actions-reporter (0.2.4 → 0.3.1) · Repo

Commits

See the full diff on Github. The new version differs by 8 commits:

• v0.3.1
• Avoid outputting summary if not supported (#18)
• v0.3.0
• Bump ansi-regex from 3.0.0 to 3.0.1
• Printed summary on run end (#16)
• Bump @actions/core from 1.4.0 to 1.9.1
• Bump glob-parent from 5.1.0 to 5.1.2
• Streamlined logic (#12)

✳️ @​actions/core (1.4.0 → 1.9.1) · Repo · Changelog

Security Advisories 🚨

🚨 @actions/core has Delimiter Injection Vulnerability in exportVariable

Impact

The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author.

Patches

Users should upgrade to @actions/core v1.9.1.

Workarounds

If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

References

More information about setting-an-environment-variable in workflows

If you have any questions or comments about this advisory:

• Open an issue in actions/toolkit

Release Notes

1.9.1 (from changelog)

• Randomize delimiter when calling core.exportVariable

1.9.0 (from changelog)

• Added toPosixPath, toWin32Path and toPlatformPath utilities #1102

1.8.2 (from changelog)

• Update to v2.0.1 of @actions/http-client #1087

1.8.1 (from changelog)

• Update to v2.0.0 of @actions/http-client

1.8.0 (from changelog)

• Deprecate markdownSummary extension export in favor of summary
  • #1072
  • #1073

1.7.0 (from changelog)

• Added markdownSummary extension

1.6.0 (from changelog)

• Added OIDC Client function getIDToken
• Added file parameter to AnnotationProperties

1.5.0 (from changelog)

• Added support for notice annotations and more annotation fields

Does any of this look wrong? Please let us know.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[kraenhansen]

@​depfu merge