Upgrade dependencies to clear security alerts#179
Conversation
- @actions/core: ^1.10.1 → ^3.0.0 - @actions/github: ^6.0.0 → ^9.1.0 - @octokit/request-error: ^6.1.1 → ^7.1.0 - undici override: 5.29.0 → ^6.24.0 - Removed stale @octokit/request-error@5.1.0 override
There was a problem hiding this comment.
Pull request overview
This PR upgrades GitHub Actions / Octokit dependencies (and the undici override) to address a Dependabot security alert, with a small TypeScript adjustment to remain compatible with the updated @actions/github package structure.
Changes:
- Bump
@actions/core,@actions/github, and@octokit/request-errorto newer major versions. - Update
src/snapshot.tsto avoid importingContextfrom an internal@actions/githubpath. - Update
undicioverride and regeneratepackage-lock.jsonto reflect the new dependency tree.
Show a summary per file
| File | Description |
|---|---|
src/snapshot.ts |
Adjusts Context typing to avoid relying on an internal @actions/github import path. |
package.json |
Updates dependency versions and changes dependency overrides (notably undici). |
package-lock.json |
Lockfile refresh reflecting updated major versions and new transitive dependencies / engine constraints. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/3 changed files
- Comments generated: 2
| import * as core from '@actions/core' | ||
| import * as github from '@actions/github' | ||
| import type { Context } from '@actions/github/lib/context.js' | ||
| type Context = typeof github.context | ||
| import { RequestError } from '@octokit/request-error' | ||
| import type { PullRequestEvent } from '@octokit/webhooks-types' |
There was a problem hiding this comment.
type Context = typeof github.context is placed between import declarations, which makes the import block non-contiguous and can fight with Biome's organizeImports / formatter. Consider keeping all import ... statements together (e.g., move this type alias below the imports), or (if available in @actions/github v9) import the Context type from a public entrypoint instead of deriving it from the value export.
See below for a potential fix:
import { RequestError } from '@octokit/request-error'
import type { PullRequestEvent } from '@octokit/webhooks-types'
import type { Manifest } from './manifest.js'
type Context = typeof github.context
| "dependencies": { | ||
| "@actions/core": "^1.10.1", | ||
| "@actions/github": "^6.0.0", | ||
| "@octokit/request-error": "^6.1.1", | ||
| "@actions/core": "^3.0.0", | ||
| "@actions/github": "^9.1.0", | ||
| "@octokit/request-error": "^7.1.0", | ||
| "@octokit/webhooks-types": "^7.5.0", | ||
| "packageurl-js": "^1.2.1" | ||
| }, |
There was a problem hiding this comment.
Upgrading to @actions/github@^9 pulls in @octokit/* packages that declare engines.node >= 20 (see package-lock), which effectively raises this library's minimum supported Node version. To avoid surprising consumers, add an explicit "engines": { "node": ">=20" } (and consider whether the package version should be a major bump if you publish this to npm).
There was a problem hiding this comment.
GitHub actions minimum node version is 20 for actions so this is irrelevant.
Purpose
Describe the purpose of this pull request
Upgrades dependencies so that undici can be upgraded for security alert
Related Issues
What issues does this PR close or relate to?
Closes Dependabot alert https://github.com/github/dependency-submission-toolkit/security/dependabot/71