Skip to content

undici is not listed as a dependency for @actions/github package in NPM #1993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cemreyavuz opened this issue Mar 14, 2025 · 1 comment
Open

undici is not listed as a dependency for @actions/github package in NPM #1993

cemreyavuz opened this issue Mar 14, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@cemreyavuz
Copy link

Ref to #1684, undici is added as a dependency to @actions/github recently: #1957. However, the package version for @actions/github is not bumped and published - latest version of the package still doesn't have undici as a dependency. In our PNPM repository, our custom actions using @actions/github fail because we cannot find undici. At the moment, we can work around it by adding a package extension. However, for the permanent fix, I believe we need to publish a new version of @actions/github with the recent change.

The code for @actions/github@6.0.0 can be found here: https://www.npmjs.com/package/@actions/github?activeTab=code. If you look at package.json, you will see that undici is missing. And this is the output when i run npm info @actions/github@6.0.0 (you can see undici is not part of dependencies here either):

@actions/github@6.0.0 | MIT | deps: 4 | versions: 17
Actions github lib
https://github.com/actions/toolkit/tree/main/packages/github

keywords: github, actions

dist
.tarball: https://cognite.jfrog.io/artifactory/api/npm/npm-virtual/@actions/github/-/github-6.0.0.tgz
.shasum: 65883433f9d81521b782a64cc1fd45eef2191ea7
.integrity: sha512-alScpSVnYmjNEXboZjarjukQEzgCRmjMv6Xj47fsdnqGS73bjJNDpiiXmp8jr0UZLdUB6d9jW63IcmddUP+l0g==

dependencies:
@actions/http-client: ^2.2.0                   @octokit/core: ^5.0.1                          @octokit/plugin-paginate-rest: ^9.0.0          @octokit/plugin-rest-endpoint-methods: ^10.0.0 

maintainers:
- chrispat <chrispat@github.com>
- bryanmacfarlane <bryanmacf@gmail.com>
- thboop <thboop@github.com>
- konradpabjan <konradpabjan@github.com>
- cschleiden <cschleiden@outlook.com>
- joshmgross <joshmgross@github.com>

dist-tags:
latest: 6.0.0  

published a year ago by thboop <thboop@github.com>

I skimmed through the docs in the repo and I couldn't find information around how the version bumps are done in the repository. I'm happy to look into it if there are any guidelines for it.
@cemreyavuz cemreyavuz added the bug Something isn't working label Mar 14, 2025
@fxalgrain
Copy link

Hi team, we're experiencing ongoing security alerts in our GitHub Action caused by issues in the current version of undici.

We see that a version bump addressing this is pending but hasn't been released in @actions/core and @actions/github yet.

Could you share an approximate timeline for the next release that will include this update?

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fxalgrain @cemreyavuz and others