fix(deps): update @actions/cache to 4.0.0

[MikeMcC399]

• supersedes PR fix(deps): update dependency @actions/cache to v4 #1327

Issue

• GitHub has released a new version of the npm module @actions/cache with the deprecation notice:

The new service will gradually roll out as of February 1st, 2025. The legacy service will also be sunset on the same date. Changes in this release are fully backward compatible.

All previous versions of this package will be deprecated. We recommend upgrading to version 4.0.0 as soon as possible before February 1st, 2025.

The new version is @actions/cache@4.0.0

See also @actions/cache Package Deprecation Notice. Upgrade to the latest 4.0.0 or higher before February 1st 2025.

• Renovate attempted to update in PR fix(deps): update dependency @actions/cache to v4 #1327 however this fails in CI because the action needs to be re-built - see Renovate fails to update dependencies correctly #1252.

Change

• Update to @actions/cache@4.0.0 and re-build the action.

[cypress-app-bot]

• Create a Draft Pull Request if your PR is not ready for review. Mark the PR as Ready for Review when you're ready for a Cypress team member to review the PR.

[MikeMcC399]

It's not clear why this is failing. I don't have access to the details:

security/snyk (Cypress Tools) — 1 test has failed

[jennifer-shehane]

@MikeMcC399 Snyk is surfacing a medium security violation in this new package - I wonder if this is tracked anywhere in the actions/cache repo: https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

Introduced through: @actions/cache@4.0.0 › twirp-ts@2.5.0 › dot-object@2.1.5 › glob@7.2.3 › inflight@1.0.6

[MikeMcC399]

@jennifer-shehane

Thanks for passing on the vulnerability assessment from SNYK. I will check.

[MikeMcC399]

@jennifer-shehane

• I reported the issue in @actions/cache@4.0.0 triggers SNYK-JS-INFLIGHT-6095116 vulnerability warning actions/toolkit#1901 and it is due to a transient dependency dot-object not being updated. glob was already re-written to eliminate inflight.

We can leave this issue in draft until either the cut-off date Feb 2025 is reached or the vulnerability is resolved, which ever happens first.

If this PR is merged without resolution, then every subsequent PR is going to get flagged by SNYK, which would be annoying.

BTW: The Cypress binary is also distributing inflight through glob.

[MikeMcC399]

• @actions/cache@4.0.0 has significant supportability issues at this time, as raised in @actions/cache@4.0.0 triggers SNYK-JS-INFLIGHT-6095116 vulnerability warning actions/toolkit#1901 (comment) . I prefer to close this PR now and wait for a response from the GitHub Toolkit team before deciding on next steps.

[MikeMcC399]

@jennifer-shehane

GitHub maintainers have acknowledged the issue (see actions/toolkit#1890 (reply in thread)) and have added it to their backlog to resolve in the next minor release of @actions/cache@4.