Github action broken with 4.0.1

[ydaveluy]

The release 4.0.1 rise this error in github action:

ReferenceError: require is not defined in ES module scope, you can use import instead
This file is being treated as an ES module because it has a '.js' file extension and '/home/runner/work/_actions/advanced-security/maven-dependency-submission-action/v4/dist/package.json' contains "type": "module". To treat it as a CommonJS script, rename it to use the '.cjs' file extension.
    at eval (eval at 5178 (file:///home/runner/work/_actions/advanced-security/maven-dependency-submission-action/v4/node_modules/@vercel/ncc/dist/ncc/@@notfound.js:1:1), <anonymous>:1:1)
    at Object.5178 (file:///home/runner/work/_actions/advanced-security/maven-dependency-submission-action/v4/node_modules/@vercel/ncc/dist/ncc/@@notfound.js:1:1)
    at __nccwpck_require__ (file:///home/runner/work/_actions/advanced-security/maven-dependency-submission-action/v4/webpack/bootstrap:21:1)
    at file:///home/runner/work/_actions/advanced-security/maven-dependency-submission-action/v4/dist/index.js:30938:35
    at file:///home/runner/work/_actions/advanced-security/maven-dependency-submission-action/v4/dist/index.js:30986:3
    at ModuleJob.run (node:internal/modules/esm/module_job:217:25)
    at ModuleLoader.import (node:internal/modules/esm/loader:316:24)
    at loadESM (node:internal/process/esm_loader:34:7)
    at handleMainPromise (node:internal/modules/run_main:66:[12](https://github.com/ThalesGroup/xsmp-modeler-core/actions/runs/7920338388/job/21629031180#step:3:13))

My project pipeline is available here : https://github.com/ThalesGroup/xsmp-modeler-core/actions/runs/7920338388/job/21629031180

[jorsmatthys]

Same, we upgraded our workflows to use 'v4' yesterday (when v4.0.0 was still the latest), tested, and everything was working, then this morning we got reports of workflows failing with the message above.

[scordio]

Another example at: https://github.com/assertj/assertj/actions/runs/7927779861/job/21644776887

[wdittmer-jumbo]

pinning it to 4.0.0 seems to work: uses: advanced-security/maven-dependency-submission-action@v4.0.0

But hopefully it is fixed soon instead of going over all pipelines and setting it to 4.0.0

[fugerit79]

Same here.

Using it on many workflows

Tag v4.0.0 is working : https://github.com/fugerit-org/query-export-tool/actions/runs/7942612673

Tag v4 is broken : https://github.com/fugerit-org/query-export-tool/actions/runs/7942591428

Any plan of quick fix?

Thanks in advance.

[fugerit79]

While waiting for a fix, I'm adding this condition on my workflows :

https://github.com/fugerit-org/query-export-tool/blob/main/.github/workflows/build_maven_package.yml

      # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
      - name: Update dependency graph
        # if DISABLE_MAVEN_DEPENDENCY_SUBMISSION is set to true, skip this step
        if: ${{ vars.DISABLE_MAVEN_DEPENDENCY_SUBMISSION != 'true' }}
        uses: advanced-security/maven-dependency-submission-action@main

Setting github variable DISABLE_MAVEN_DEPENDENCY_SUBMISSION to true at account level, the step will be disabled. (I decided to do it as this is an optional step, basically skipping it does not compromise completely the result).

[wjglerum]

Experiencing the same errors on multiple repositories now, which are blocking the PR merges right now. Will probably disable it for now.

[wjglerum]

@peter-murray any feedback? Seems like this PR broke things for everyone https://github.com/advanced-security/maven-dependency-submission-action/pull/62

[ecki]

Dependabot will upgrade to the 4.0.1 hash and in the process breaking builds - what's worse most config does not submit and therefore detect the problem in the PR builds.

[ianrobrien]

I'm having this issue in my private and public repos. Also in all of my organization's repos.

For now I've just pinned to version v4.0.0 and told Dependabot to ignore this minor version.

Any idea what the fix is? I thought it could be due to permissions but adding contents write hasn't helped.

[felickz]

While we wait for a fix - the @v4 floating version should be back to old behavior. The change in 4.0.1 rolled back with 4.0.2.

See #70