Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Potentially affected by the security issue in changed-files #2303

Closed
4 tasks done
wyardley opened this issue Mar 15, 2025 · 0 comments · Fixed by #2305
Closed
4 tasks done

[BUG] Potentially affected by the security issue in changed-files #2303

wyardley opened this issue Mar 15, 2025 · 0 comments · Fixed by #2305
Labels
bug Something isn't working

Comments

@wyardley
Copy link

wyardley commented Mar 15, 2025
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Does this issue exist in the latest version?

  • I'm using the latest release

Describe the bug?

Since this pins to a loose of changed-files and not a specific sha, it may well also be affected by the issue described in
tj-actions/changed-files#2464 and tj-actions/changed-files#2463.

To Reproduce

  1. Use this project
  2. There is no step 2

What OS are you seeing the problem on?

all, ubuntu-latest or ubuntu-22.04

Expected behavior?

Relevant log output

Has all relevant logs been included?

  • I've included all relevant logs

Anything else?

I tested pinning this to a recent sha and don't see any base64 encoded secrets in output. However I think it would probably be smart to pin indirect uses like this, since from what I can see, I don't think users can pin indirect dependencies?

Code of Conduct

  • I agree to follow this project's Code of Conduct
@wyardley wyardley added the bug Something isn't working label Mar 15, 2025
@wyardley wyardley changed the title [BUG] Affected by the security issue in changed-files [BUG] Potentially affected by the security issue in changed-files Mar 15, 2025
@jackton1 jackton1 linked a pull request Mar 17, 2025 that will close this issue
security: pin tj-actions changed-files to commit hash #2305
Merged
@jackton1 jackton1 mentioned this issue Mar 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

security: pin tj-actions changed-files to commit hash tj-actions/eslint-changed-files
1 participant
@wyardley