Bump `@actions/core` to 1.9.1

ilammy / msvc-dev-cmd

GitHub Action to setup Developer Command Prompt for Microsoft Visual C++

MIT License

329 stars 44 forks source link

Bump `@actions/core` to 1.9.1 #56

Closed ilammy closed 1 year ago

ilammy commented 1 year ago

Fixes CVE-2022-35954.

ilammy commented 1 year ago

Oh wow, now it pulls in a bunch of dependencies 😢

RIP going months without a CVE in the codebase. Bracing for getting notifications about them every week.

pzhlkj6612 commented 1 year ago

well, the "node_modules" entry in .gitignore didn't work?

ilammy commented 1 year ago

Hm... Seems to be something with my local clone 😞 When I prepared the change, I saw updates in node_modules, so naturally git added them. I think that was some remnant of the past, or something.

I believe node_modules with production dependencies is needed only on the release branch, since actions expect everything to be vendored and ready for them.

pzhlkj6612 commented 1 year ago

IIRC, adding a Git-ignored item is not that easy: git - Force add despite the .gitignore file - Stack Overflow.

Anyway, I've seen #57 and it's alright now. :)