chore(ci): bump actions/setup-node from 4 to 6#1
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
github-actions
Bot
added
size/S
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-node-6
branch
from
8a6a16e to
462f2c8
Compare
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-node-6
branch
from
462f2c8 to
de98b23
Compare
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v4...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-node-6
branch
from
de98b23 to
993d8e9
Compare
Contributor
|
Closing: main has been updated with the develop merge. Dependabot will re-create if still needed. |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/github_actions/actions/setup-node-6
branch
eliteprox
added a commit
that referenced
this pull request
Feb 11, 2026
Address 103 high-severity CodeQL alerts across 34 files: **Insecure temporary files (js/insecure-temporary-file) — 20 alerts:** - Replace predictable temp paths with crypto.randomUUID() and fs.mkdtempSync() **User-controlled bypass (js/user-controlled-bypass) — 14 alerts:** - Add typeof checks for auth tokens, codes, emails, passwords - Remove user-controlled skipVerification flag from publish endpoints - Validate GitHub webhook headers with typeof guards - Add OAuth error code allowlist in callback handler **Remote property injection (js/remote-property-injection) — 6 alerts:** - Block __proto__, constructor, prototype keys in config merge/assignment **File system race (js/file-system-race) — 3 alerts:** - Replace TOCTOU check-then-read with try/catch around direct operations **Tainted format string (js/tainted-format-string) — 5 alerts:** - Sanitize user input (strip control chars/newlines) before logging **Incomplete sanitization + bad HTML filter (js/bad-tag-filter) — 2 alerts:** - Replace single-pass regex HTML stripping with iterative loop **Path injection (js/path-injection) — 20 alerts:** - Add safeResolvePath() for storage paths - Add sanitizePathComponent() for plugin/version path segments - Add validateFilePath() for uploaded file paths **SQL injection (js/sql-injection) — 5 alerts:** - Add validateIdentifier() strict allowlist for DDL identifiers - Sanitize database names, usernames, and passwords **XSS through DOM (js/xss-through-dom) — 2 alerts:** - Validate avatar URLs with URL constructor, block javascript: URIs **Reflected XSS (js/reflected-xss) — 1 alert:** - Validate plugin name against allowlist before HTML interpolation **Insecure download (js/insecure-download) — 2 alerts:** - Enforce HTTPS protocol validation before fetch calls **Insecure randomness (js/insecure-randomness) — 1 alert:** - Replace Math.random() with crypto.randomInt() **Insufficient password hash (js/insufficient-password-hash) — 2 alerts:** - Replace SHA-256 with crypto.scryptSync for API key hashing **Missing rate limiting (js/missing-rate-limiting) — 13 alerts:** - Add in-memory rate limiting to auth, registry, embed, and config routes **Insecure Helmet configuration (js/insecure-helmet-configuration) — 2 alerts:** - Replace disabled CSP with proper CSP directives **Incomplete URL sanitization (js/incomplete-url-substring-sanitization) — 5 alerts:** - Replace string includes/startsWith with URL constructor parsing Alerts fixed: #1-50, #52-53, #57-61, #76-77, #82-97, #102-128, #279-280 Co-authored-by: Cursor <cursoragent@cursor.com>
10 tasks
seanhanca
pushed a commit
that referenced
this pull request
Feb 12, 2026
Address 103 high-severity CodeQL alerts across 34 files: **Insecure temporary files (js/insecure-temporary-file) — 20 alerts:** - Replace predictable temp paths with crypto.randomUUID() and fs.mkdtempSync() **User-controlled bypass (js/user-controlled-bypass) — 14 alerts:** - Add typeof checks for auth tokens, codes, emails, passwords - Remove user-controlled skipVerification flag from publish endpoints - Validate GitHub webhook headers with typeof guards - Add OAuth error code allowlist in callback handler **Remote property injection (js/remote-property-injection) — 6 alerts:** - Block __proto__, constructor, prototype keys in config merge/assignment **File system race (js/file-system-race) — 3 alerts:** - Replace TOCTOU check-then-read with try/catch around direct operations **Tainted format string (js/tainted-format-string) — 5 alerts:** - Sanitize user input (strip control chars/newlines) before logging **Incomplete sanitization + bad HTML filter (js/bad-tag-filter) — 2 alerts:** - Replace single-pass regex HTML stripping with iterative loop **Path injection (js/path-injection) — 20 alerts:** - Add safeResolvePath() for storage paths - Add sanitizePathComponent() for plugin/version path segments - Add validateFilePath() for uploaded file paths **SQL injection (js/sql-injection) — 5 alerts:** - Add validateIdentifier() strict allowlist for DDL identifiers - Sanitize database names, usernames, and passwords **XSS through DOM (js/xss-through-dom) — 2 alerts:** - Validate avatar URLs with URL constructor, block javascript: URIs **Reflected XSS (js/reflected-xss) — 1 alert:** - Validate plugin name against allowlist before HTML interpolation **Insecure download (js/insecure-download) — 2 alerts:** - Enforce HTTPS protocol validation before fetch calls **Insecure randomness (js/insecure-randomness) — 1 alert:** - Replace Math.random() with crypto.randomInt() **Insufficient password hash (js/insufficient-password-hash) — 2 alerts:** - Replace SHA-256 with crypto.scryptSync for API key hashing **Missing rate limiting (js/missing-rate-limiting) — 13 alerts:** - Add in-memory rate limiting to auth, registry, embed, and config routes **Insecure Helmet configuration (js/insecure-helmet-configuration) — 2 alerts:** - Replace disabled CSP with proper CSP directives **Incomplete URL sanitization (js/incomplete-url-substring-sanitization) — 5 alerts:** - Replace string includes/startsWith with URL constructor parsing Alerts fixed: #1-50, #52-53, #57-61, #76-77, #82-97, #102-128, #279-280 Co-authored-by: Cursor <cursoragent@cursor.com>
seanhanca
pushed a commit
that referenced
this pull request
Feb 12, 2026
Address 103 high-severity CodeQL alerts across 34 files: **Insecure temporary files (js/insecure-temporary-file) — 20 alerts:** - Replace predictable temp paths with crypto.randomUUID() and fs.mkdtempSync() **User-controlled bypass (js/user-controlled-bypass) — 14 alerts:** - Add typeof checks for auth tokens, codes, emails, passwords - Remove user-controlled skipVerification flag from publish endpoints - Validate GitHub webhook headers with typeof guards - Add OAuth error code allowlist in callback handler **Remote property injection (js/remote-property-injection) — 6 alerts:** - Block __proto__, constructor, prototype keys in config merge/assignment **File system race (js/file-system-race) — 3 alerts:** - Replace TOCTOU check-then-read with try/catch around direct operations **Tainted format string (js/tainted-format-string) — 5 alerts:** - Sanitize user input (strip control chars/newlines) before logging **Incomplete sanitization + bad HTML filter (js/bad-tag-filter) — 2 alerts:** - Replace single-pass regex HTML stripping with iterative loop **Path injection (js/path-injection) — 20 alerts:** - Add safeResolvePath() for storage paths - Add sanitizePathComponent() for plugin/version path segments - Add validateFilePath() for uploaded file paths **SQL injection (js/sql-injection) — 5 alerts:** - Add validateIdentifier() strict allowlist for DDL identifiers - Sanitize database names, usernames, and passwords **XSS through DOM (js/xss-through-dom) — 2 alerts:** - Validate avatar URLs with URL constructor, block javascript: URIs **Reflected XSS (js/reflected-xss) — 1 alert:** - Validate plugin name against allowlist before HTML interpolation **Insecure download (js/insecure-download) — 2 alerts:** - Enforce HTTPS protocol validation before fetch calls **Insecure randomness (js/insecure-randomness) — 1 alert:** - Replace Math.random() with crypto.randomInt() **Insufficient password hash (js/insufficient-password-hash) — 2 alerts:** - Replace SHA-256 with crypto.scryptSync for API key hashing **Missing rate limiting (js/missing-rate-limiting) — 13 alerts:** - Add in-memory rate limiting to auth, registry, embed, and config routes **Insecure Helmet configuration (js/insecure-helmet-configuration) — 2 alerts:** - Replace disabled CSP with proper CSP directives **Incomplete URL sanitization (js/incomplete-url-substring-sanitization) — 5 alerts:** - Replace string includes/startsWith with URL constructor parsing Alerts fixed: #1-50, #52-53, #57-61, #76-77, #82-97, #102-128, #279-280 Co-authored-by: Cursor <cursoragent@cursor.com>
This was referenced Feb 20, 2026
This was referenced May 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-node from 4 to 6.
Release notes
Sourced from actions/setup-node's releases.
... (truncated)
Commits
6044e13Docs: bump actions/checkout from v5 to v6 (#1468)8e49463Fix README typo (#1226)621ac41README.md: bump to latest released checkout version v6 (#1446)2951748Bump@actions/cacheto v5.0.1 (#1449)21ddc7bCorrect mirror option typos (#1442)65d868fUpdate Documentation for Lockfile (#1454)395ad32Bump js-yaml from 3.14.1 to 3.14.2 (#1435)a4d2e2bBump actions/checkout from 5 to 6 (#1439)b9b25d4Remove always-auth configuration handling from action (#1436)633bb92Bump@actions/cachefrom 4.0.3 to 4.1.0 (#1384)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)