search

brave / brave-talk

Unlimited private video calls with your friends and colleagues
Mozilla Public License 2.0
123 stars 35 forks source link

Update actions/upload-artifact action to v4.3.4 #1461

Closed renovate[bot] closed 4 months ago

renovate[bot] commented 4 months ago

Mend Renovate

This PR contains the following updates:

Package Type Update Change
actions/upload-artifact action patch v4.3.3 -> v4.3.4

Release Notes

actions/upload-artifact (actions/upload-artifact) ### [`v4.3.4`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.4) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.3...v4.3.4) ##### What's Changed - Update [@​actions/artifact](https://togithub.com/actions/artifact) version, bump dependencies by [@​robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/584](https://togithub.com/actions/upload-artifact/pull/584) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4

Configuration

📅 Schedule: Branch creation - " 0-4 * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

github-actions[bot] commented 4 months ago

[puLL-Merge] - actions/upload-artifact@v4.3.3..v4.3.4

Description

This PR updates the @actions/artifact dependency from version 2.1.6 to 2.1.8 and makes corresponding changes to the codebase. The main changes involve simplifying the artifact extraction process and improving header handling in HTTP requests.

Changes ### Changes 1. `.licenses/npm/@actions/artifact.dep.yml`: - Updated the version of `@actions/artifact` from 2.1.6 to 2.1.8. 2. `dist/merge/index.js`: - Removed imports for `stream`, `fs`, and `path` modules, which are no longer needed. - Simplified the `streamExtractExternal` function: - Removed custom directory creation and file writing logic. - Now uses `unzip-stream.Extract` directly to extract files. - Updated the `isGhes` function to handle `.LOCALHOST` domains separately. - Added new utility functions for handling HTTP headers and parsing metadata. - Improved base64 comparison logic in the `bytesMatch` function. - Updated the regular expression for parsing hash options in `parseHashWithOptions`. 3. `dist/upload/index.js`: - Similar changes as in `dist/merge/index.js`. 4. `package.json`: - Updated the version of the `upload-artifact` package from 4.3.3 to 4.3.4. - Updated the `@actions/artifact` dependency to version 2.1.8.

Possible Issues

No major non-security issues are apparent in this change.

Security Hotspots

  1. The removal of the custom extraction logic in streamExtractExternal could potentially introduce security risks if the new implementation doesn't properly handle path traversal attacks. However, this is likely mitigated by the unzip-stream library's implementation.

  2. The changes to header handling in the shouldRemoveHeader function now explicitly check for the proxy-authorization header. This is a security improvement as it ensures this sensitive header is properly handled in redirects.

Overall, this update appears to improve security by simplifying the code and using more robust libraries for artifact extraction.