AlexRogalskiy / wotd

🌐 Styled Word of the Day API
https://styled-wotd.vercel.app/
GNU General Public License v3.0
1 stars 1 forks source link

[Security] Workflow release-drafter.yml is using vulnerable action release-drafter/release-drafter #478

Open akulpillai opened 2 years ago

akulpillai commented 2 years ago

The workflow release-drafter.yml is referencing action release-drafter/release-drafter using references v5.7.0. However this reference is missing the commit 70eb821099dbcd875c2cba75dad4332d3cf5544d which may contain fix to the some vulnerability. The vulnerability fix that is missing by actions version could be related to: (1) CVE fix (2) upgrade of vulnerable dependency (3) fix to secret leak and others. Please consider to update the reference to the action.

boring-cyborg[bot] commented 2 years ago

Thanks so much for opening up your first issue here on the repository! πŸŽ‰ We would like to warmly welcome you to the community behind the app! ☺️ We'll check in soon and have a look at your issue. In the meantime, you can check your issue and make sure it aligns with our contribution guidelines! Here's the comprehensive list:

Enhancements

An enhancement takes a feature and improves or alters its behaviour. Please make sure to argue how your proposition will aid non-technical text workers, and why it can't be emulated easily with other features or apps!

Feature requests

Feature requests introduce whole new features into the app. This requires a lot of work, so these might be turned down if the implementation costs supersede the benefits we expect to see from implementing it. Please do not be disappointed if that happens. It likely has nothing to do with your great request but simply with us and our missing resources! You can of course always ask someone to implement this feature, because a PR with a working new feature has much higher chances of being merged! :)

Bug reports

Please note that one of the main reasons for why bug reports cannot be addressed is that there's not enough information for us to find and fix the bug you describe, so make sure you try to pinpoint the bug as close as possible. The ideal bug report for us has two qualities:

  1. The bug is always reproducible, at least within a certain context. 2. We know exactly what specifically goes wrong, and there is consensus on what should happen instead.

Please note that if you encounter behaviour that does not align with your expectations of what would happen, this might as well be simply intended behaviour and we need to simply clarify why the behaviour is the way it is. This is not to be considered a bug and such issues may be closed! Suggest an enhancement instead! But now, have a great day and thank you again!

github-actions[bot] commented 2 years ago

πŸ‘‹ Thanks for reporting!