peter-murray / workflow-application-token-action

GitHub Action that will get a scoped short lived token for Actions workflows using a GitHub Application.
MIT License
175 stars 43 forks source link

Security Vulnerabilities Detected #38

Open goffinfnbs opened 9 months ago

goffinfnbs commented 9 months ago

Within the Enterprise that I work, we follow a process for approving marketplace GitHub actions.

The review process includes scanning the source code (using GitHub Advanced Security with the security-extended suite) for vulnerabilities and when we did so yesterday (05/02/2024) there were TWO (2) HIGH severity vulnerabilities reported. Our internal policy does not allow approval for actions where High (or higher) severity vulnerabilities are present.

image

Could you please resolve the the vulnerabilities and issue a new release ?

Version Reviewed: Latest source code (cloned repository)

Reproduce by: Executing a GitHub Advanced Security scan using the security-extended suite

peter-murray commented 5 months ago

This is coming from a minified source map, this is not run, but used to determine errors from stack traces back to the legitimate source files in the source code or dependencies. @vercel/ncc is creating this file when producing the actual source code that is run in the post/index.js file.