Sourced from nanasess/setup-chromedriver's releases.

v3.0.0

Highlights

v3.0.0 is a major release that rewrites the action from the ground up. The installation logic is now implemented natively in TypeScript — the legacy shell/PowerShell scripts are no longer on the execution path — and the build toolchain has been hardened against supply-chain attacks.

Native TypeScript rewrite (#446)

The Bash (setup-chromedriver.sh) and PowerShell (setup-chromedriver.ps1) installers have been replaced by a native TypeScript implementation, split into focused modules under src/installer/:

• http.ts — fetchText / fetchJson with curl-like retry/redirect handling
• download.ts — ZIP download & extraction via @actions/tool-cache
• version.ts — Chrome version detection + Chrome-for-Testing JSON resolution with fallback
• unix.ts / windows.ts — platform-specific install (legacy < 115 / modern split)

Behavioral parity is preserved: install locations (/usr/local/bin/chromedriver, C:\SeleniumWebDrivers\ChromeDriver) are unchanged, and PATH resolution via the well-known install directory continues to work without an explicit core.addPath. The legacy shell scripts are retained for one release cycle as an emergency rollback option.

Supply-chain hardening

• Migrated from yarn to pnpm (#456) — install-time build scripts are blocked by default (allowBuilds), and freshly published versions are held back by a cooldown (minimumReleaseAge).
• All external actions in CI workflows are now pinned to a full commit SHA (#450).

ESM migration (#458, #439)

• The codebase moved from CommonJS to ESM, and @actions/tool-cache was upgraded from 2.x to 4.x.

Security fixes

• Fixed a command-injection vector in Windows version detection (env-passing).
• Fixed cross-drive move failure (EXDEV) on Windows via io.cp.
• Added retry-with-backoff to downloads.
• Overrode qs to 6.15.2 to resolve a DoS advisory (#457, #444).

Testing

• Container-compatibility tests are now a permanent PR gate (#453).
• Added install/smoke tests for legacy ChromeDriver (< 115) (#454).

---

Breaking Changes

• The action is now a native TypeScript / ESM implementation. The shell/PowerShell scripts are no longer executed (kept only for one-cycle rollback).
• Build/contribution workflow now requires pnpm (corepack enable) instead of yarn.

Note: The Node 24 runtime migration shipped in v2.4.0; there is no runtime change in v3.0.0.

Migration

Update your workflow reference to @v3. SHA pinning is recommended:

... (truncated)

• e913548 Merge pull request #460 from nanasess/feature/release-v3
• 8d11586 chore: 不要な version フィールドを package.json から削除
• 38db136 Merge pull request #458 from nanasess/feature/bump-tools-cache
• 359dcf4 fix: Windows でも動く cross-platform な test スクリプトへ変更
• ba85371 Merge remote-tracking branch 'origin/master' into feature/bump-tools-cache
• 00fdb57 fix: selenium 統合テストの ESM サブパス import を修正
• f6b8cbe Merge pull request #457 from nanasess/security/qs-6.15.2
• 249deb4 style: prettier を全 TypeScript ファイルに適用
• 5daf33a build: ESM へ移行し @​actions/tool-cache を 4.x へ更新
• 23ce89d fix(security): qs を 6.15.2 へ override し DoS 脆弱性を修正
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)