[bug] Node incompatibility: [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues

TWiStErRob commented 10 months ago

What happened?

(node:2153) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead. (Use node --trace-deprecation ... to show where the warning was created)

Downloading single artifact
Preparing to download the following artifacts:
- SVG 34 (ID: 11[9](https://github.com/TWiStErRob/net.twisterrob.inventory/actions/runs/7677783691/job/20928154830#step:16:10)9516438, Size: 1699777)
Redirecting to blob download url: https://productionresultssa1.blob.core.windows.net/actions-results/8e6d9f3f-6e3b-4c8e-83f4-f8e0f26bf973/workflow-job-run-e699d37f-058b-58cc-a4dc-39f1e1e20eb1/artifacts/3fb626b8b321bb42f173a9d27aebdf4dfa5873cca35cd8b44494ca76cc72f5e1.zip
Starting download of artifact to: /home/runner/work/net.twisterrob.inventory/net.twisterrob.inventory/downloads/SVG 34
(node:2153) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
Artifact download completed successfully.
Total of 1 artifact(s) downloaded
Download artifact has finished successfully

What did you expect to happen?

No security vulnerabilities by first party actions.

How can we reproduce it?

      - uses: actions/download-artifact@v4
        with:
          name: 'artifact-name'
          path: 'downloads/my-artifact'

Anything else we need to know?

According to https://github.com/actions/download-artifact/issues?q=is%3Aissue+is%3Aopen+DeprecationWarning, this has been ongoing for more than a year.

What version of the action are you using?

v4.1.1

What are your runner environments?

linux

Are you on GitHub Enterprise Server? If so, what version?

no

muzimuzhi commented 10 months ago

It seems the direct culprit is @actions/artifact, one of this action's dependencies. See detailed analysis and proposal in

https://github.com/actions/toolkit/issues/1618

TWiStErRob commented 10 months ago

@mmu100 elaborate please

mashail commented 4 months ago

This could happen if the same file exists in the machine in the same path as the aciotion can not overwrite it. I had the same issue and it was due to the files exists with same name and path

muzimuzhi commented 4 months ago

It seems the direct culprit is @actions/artifact, one of this action's dependencies. See detailed analysis and proposal in

getArtifact function using deprecated (due to security and usability issues) buffer function toolkit#1618

This issue should have been addressed in download-artifact v4.1.5 (2024-04-18) (the latest one is v4.1.8.)

According to https://github.com/actions/toolkit/issues/1618#issuecomment-1925416310, what's needed is to update archiver, one of dependencies of @actions/artifact, from 5.3.1 to at least 6.0.0.

download-arifact v4.1.5 updated @actions/artifact from ^2.1.1 to ^2.1.5, with archiver updated from ^5.3.1 to ^7.0.1, thus fixed current issue. See https://github.com/actions/download-artifact/compare/v4.1.4...v4.1.5.

MestreLion commented 6 days ago

Any news on this?

It's pretty unsettling when a "blessed" Github Action emits a DeprecationWarning regarding a security vulnerability

actions / download-artifact