Skip to content

deps: bump step-security/harden-runner from 2.19.3 to 2.19.4#70

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/github_actions/step-security/harden-runner-2.19.4
May 29, 2026
Merged

deps: bump step-security/harden-runner from 2.19.3 to 2.19.4#70
github-actions[bot] merged 1 commit into
mainfrom
dependabot/github_actions/step-security/harden-runner-2.19.4

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 26, 2026
edited
Loading

Bumps step-security/harden-runner from 2.19.3 to 2.19.4.

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.4

What's Changed

  • Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 26, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026
edited
Loading

Dependency Safety Scan

Packages scanned: step-security/harden-runner (v2.19.4)

Results

No known exploits found affecting the target versions.

Source Vulnerabilities
GitHub Advisory (GHSA) 0 affecting target
OSV.dev 0 affecting target

Auto-merge enabled. PR will merge once all required checks pass.

5 historical advisory/ies (patched at or before target version — not blocking)
ID Severity Summary Source Patched In
GHSA-46g3-37rh-v698 MODERATE Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier) GHSA 2.16.0
GHSA-g699-3x6g-wm3g MODERATE Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier) GHSA 2.16.0
GHSA-cpmj-h4f6-r6pq MODERATE Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier) GHSA 2.14.2
GHSA-mxr3-8whj-j74r MODERATE Harden-Runner allows evasion of 'disable-sudo' policy GHSA 2.12.0
GHSA-g85v-wf27-67xc LOW Harden-Runner has a command injection weaknesses in setup.ts and arc-runner.ts GHSA 2.10.2
### Release Age (minimum: 5 days)
Package Version Published Age Status
step-security/harden-runner v2.19.4 2026-05-21 7d ✅ passed

Project Health (OpenSSF Scorecard)

Action Score Details
step-security/harden-runner 8/10 View

Last scanned: 2026-05-29 01:12 UTC

@dependabot dependabot Bot force-pushed the dependabot/github_actions/step-security/harden-runner-2.19.4 branch from 4e195dd to cabd960 Compare May 28, 2026 06:15
@j7an
Copy link
Copy Markdown
Owner

j7an commented May 29, 2026

@dependabot recreate

@dependabot
deps: bump step-security/harden-runner from 2.19.3 to 2.19.4
39b44d9 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.19.3 to 2.19.4.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@ab7a940...9af89fc)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/step-security/harden-runner-2.19.4 branch from cabd960 to 39b44d9 Compare May 29, 2026 01:11
@github-actions github-actions Bot merged commit 5da2b13 into main May 29, 2026
5 of 6 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/step-security/harden-runner-2.19.4 branch May 29, 2026 01:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@j7an