Skip to content

Dependabot Alert #16 (GHSA-m7jm-9gc2-mpf2 / CVE-2026-25896) #164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
derekmisler merged 1 commit into from
May 4, 2026
+48 −13
Merged

Dependabot Alert #16 (GHSA-m7jm-9gc2-mpf2 / CVE-2026-25896) #164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@
"pnpm": {
"onlyBuiltDependencies": [
"esbuild"
]
],
"overrides": {
"fast-xml-parser": "^5.3.5"
Copy link
Copy Markdown
Contributor

@docker-agent docker-agent Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[LOW] Semver range in CVE override may drift on lockfile regeneration

The pnpm override for fast-xml-parser uses "^5.3.5" (caret range) rather than an exact version pin like "5.7.2". For a security-fix override targeting a specific CVE (GHSA-m7jm-9gc2-mpf2), this means a future pnpm install could resolve to any 5.x >= 5.3.5 — potentially an unvetted newer version. Best practice for CVE remediations is to pin the exact known-safe version:

"overrides": {
  "fast-xml-parser": "5.7.2"
}

}
}
}
32 changes: 28 additions & 4 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

24 changes: 16 additions & 8 deletions review-pr/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,12 @@ runs:
- name: Resolve PR number and comment ID
id: resolve-context
shell: bash
env:
PR_NUMBER_INPUT: ${{ inputs.pr-number }}
COMMENT_ID_INPUT: ${{ inputs.comment-id }}
Copy link
Copy Markdown
Contributor

@docker-agent docker-agent Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[LOW] comment-id input used in gh api URL path without numeric validation

COMMENT_ID_INPUT is populated from the inputs.comment-id action input and later injected into gh api URL paths like:

gh api "repos/$REPO/issues/comments/$COMMENT_ID/reactions"

There is no validation that COMMENT_ID is a numeric value before use. While the env-var approach in this PR (vs. inline ${{ }} interpolation) correctly eliminates shell injection, a crafted non-numeric comment-id (e.g., containing /) could theoretically manipulate the API path. Consider adding a numeric guard:

if [[ -n "$COMMENT_ID" && ! "$COMMENT_ID" =~ ^[0-9]+$ ]]; then
  echo "❌ Invalid comment-id: must be numeric"
  exit 1
fi

Note: The env-var refactoring in this PR is an improvement over the previous inline interpolation pattern.

run: |
# Resolve PR number: input > pull_request event > issue event
PR_NUMBER="${{ inputs.pr-number }}"
PR_NUMBER="$PR_NUMBER_INPUT"
if [ -z "$PR_NUMBER" ]; then
PR_NUMBER="${{ github.event.pull_request.number }}"
fi
Expand All @@ -104,7 +107,7 @@ runs:
echo "✅ Resolved PR number: $PR_NUMBER"

# Resolve comment ID: input > comment event (optional, for reactions)
COMMENT_ID="${{ inputs.comment-id }}"
COMMENT_ID="$COMMENT_ID_INPUT"
if [ -z "$COMMENT_ID" ]; then
COMMENT_ID="${{ github.event.comment.id }}"
fi
Expand Down Expand Up @@ -203,8 +206,10 @@ runs:
shell: bash
env:
GH_TOKEN: ${{ steps.resolve-token.outputs.token }}
REPO: ${{ github.repository }}
COMMENT_ID: ${{ steps.resolve-context.outputs.comment-id }}
run: |
gh api repos/${{ github.repository }}/issues/comments/${{ steps.resolve-context.outputs.comment-id }}/reactions \
gh api "repos/$REPO/issues/comments/$COMMENT_ID/reactions" \
-X POST -f content='eyes' || true

- name: Get PR information
Expand Down Expand Up @@ -628,8 +633,9 @@ runs:
shell: bash
env:
GH_TOKEN: ${{ steps.resolve-token.outputs.token }}
REPO: ${{ github.repository }}
run: |
ARTIFACTS=$(gh api "repos/${{ github.repository }}/actions/artifacts?name=pr-review-feedback" \
ARTIFACTS=$(gh api "repos/$REPO/actions/artifacts?name=pr-review-feedback" \
--jq '.artifacts[].id' 2>/dev/null || echo "")

if [ -z "$ARTIFACTS" ]; then
Expand All @@ -644,7 +650,7 @@ runs:

for AID in $ARTIFACTS; do
# Download artifact zip
gh api "repos/${{ github.repository }}/actions/artifacts/$AID/zip" > "feedback_$AID.zip" 2>/dev/null || continue
gh api "repos/$REPO/actions/artifacts/$AID/zip" > "feedback_$AID.zip" 2>/dev/null || continue
unzip -o "feedback_$AID.zip" -d "pending_feedback/" 2>/dev/null || continue

if [ -f pending_feedback/feedback.json ]; then
Expand All @@ -660,7 +666,7 @@ runs:
rm -f pending_feedback/feedback.json

# Delete processed artifact
gh api "repos/${{ github.repository }}/actions/artifacts/$AID" -X DELETE 2>/dev/null || true
gh api "repos/$REPO/actions/artifacts/$AID" -X DELETE 2>/dev/null || true
done

if [ "$COUNT" -gt 0 ]; then
Expand Down Expand Up @@ -907,11 +913,13 @@ runs:
env:
GH_TOKEN: ${{ steps.resolve-token.outputs.token }}
EXIT_CODE: ${{ steps.run-review.outputs.exit-code }}
REPO: ${{ github.repository }}
COMMENT_ID: ${{ steps.resolve-context.outputs.comment-id }}
run: |
if [ "$EXIT_CODE" != "0" ]; then
gh api "repos/${{ github.repository }}/issues/comments/${{ steps.resolve-context.outputs.comment-id }}/reactions" \
gh api "repos/$REPO/issues/comments/$COMMENT_ID/reactions" \
-X POST -f content='confused' || true
else
gh api "repos/${{ github.repository }}/issues/comments/${{ steps.resolve-context.outputs.comment-id }}/reactions" \
gh api "repos/$REPO/issues/comments/$COMMENT_ID/reactions" \
-X POST -f content='+1' || true
fi
Loading