[Security] Workflow ci_pr.yml is using vulnerable action reviewdog/action-eslint

EPMatt / awesome-ha-blueprints

A curated collection of automation blueprints for Home Assistant.

https://epmatt.github.io/awesome-ha-blueprints

GNU General Public License v3.0

825 stars 247 forks source link

[Security] Workflow ci_pr.yml is using vulnerable action reviewdog/action-eslint #217

Closed fockboi-lgtm closed 2 years ago

fockboi-lgtm commented 2 years ago

The workflow ci_pr.yml is referencing action reviewdog/action-eslint using references v1. However this reference is missing the commit 7b45345d875d4979afe88b630dbc01a40e8a2e91 which may contain fix to the some vulnerability. The vulnerability fix that is missing by actions version could be related to: (1) CVE fix (2) upgrade of vulnerable dependency (3) fix to secret leak and others. Please consider to update the reference to the action.

EPMatt commented 2 years ago

Hi @fockboi-lgtm,

thank you for reporting the vulnerability. Even if the v1 tag should track the latest v1 minor version, I'll force the action to the latest version in the workflow config file.

Thanks again. :)

github-actions[bot] commented 2 years ago

Hi there,

🔒 This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new ticket for related bugs.

Thanks!