Absolute joke from a security perspective

[prabhu]

This sample project recommends devs to upload the entire node_modules directory. While using such a simple plugin the entire codebase including node_modules is then downloaded and used without any sort of checks.

What is stopping people from uploading malicious stuff inside such node_modules to steal source code or inject exploits while using such actions?

[rzr]

Can't npm install be used at run time ?

Relate-to: https://help.github.com/en/actions/building-actions/creating-a-javascript-action

Update:
https://twitter.com/peckjon/status/1235984727464525824?s=20

[ncalteen]

Hi All, I submitted a PR to this repo to switch how this is currently handled. Instead of committing node_modules or including a npm install step before the action is run, this approach uses @vercel/ncc to package dependencies into a single JS file. This is the same approach used in the TypeScript and JavaScript action templates.