Skip to content
This repository has been archived by the owner on Feb 21, 2023. It is now read-only.

[Security] Workflow ci.yml is using vulnerable action py-actions/py-dependency-install #1244

Closed
Ale0x78 opened this issue Dec 19, 2021 · 0 comments · Fixed by #1239
Closed

[Security] Workflow ci.yml is using vulnerable action py-actions/py-dependency-install #1244

Ale0x78 opened this issue Dec 19, 2021 · 0 comments · Fixed by #1239

Comments

@Ale0x78
Copy link

Ale0x78 commented Dec 19, 2021

The workflow ci.yml is referencing action py-actions/py-dependency-install using references v2.1.0. However this reference is missing the commit 5df6847b1bc7e7eff410a6d05aab1708d592de20 which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump py-actions/py-dependency-install from 2.1.0 to 3 aio-libs-abandoned/aioredis-py
1 participant
@Ale0x78