Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

@actions/cache@4.0.0 triggers SNYK-JS-INFLIGHT-6095116 vulnerability warning #1901

Open
MikeMcC399 opened this issue Dec 9, 2024 · 3 comments
Labels
attention Requires follow-up from maintainers bug Something isn't working cache

Comments

@MikeMcC399
Copy link

MikeMcC399 commented Dec 9, 2024

@actions/cache@4.0.0 is triggering a vulnerability warning https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

The dependencies are

└─┬ @actions/cache@4.0.0
  └─┬ twirp-ts@2.5.0
    └─┬ dot-object@2.1.5
      └─┬ glob@7.2.3
        └── inflight@1.0.6
$ npm view glob@7.2.3 deprecated
Glob versions prior to v9 are no longer supported
$ npm view inflight deprecated
This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
@MikeMcC399
Copy link
Author

The supportability of twirp-ts and its transient dependencies appears to be questionable:

twirp-ts was introduced by @actions/cache@4.0.0 and was not used by @actions/cache@3.2.0. Deprecations have been introduced through @actions/cache@4.0.0.

Logs

@actions/cache@3.3.0

$ npm install @actions/cache@3

added 61 packages, and audited 62 packages in 3s

2 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

@actions/cache@4.0.0

$ npm install @actions/cache@4
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported

added 25 packages, changed 1 package, and audited 87 packages in 2s

4 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

@MikeMcC399
Copy link
Author

The maintainers of twirp-ts state in hopin-team/twirp-ts#73 (comment)

This package is in maintenance mode and we don't plan to do any new releases.
Our suggestion is that you fork the repo or find another fork that has been actively maintained.

The addition of twirp-ts to @actions/cache@4.0.0 is therefore problematic.

I ran their CI workflow twirp-ts.yaml (Build & Test) against Node.js 18 - 23. The workflow passes on Node.js 18 and fails on higher versions 20 - 23. This is also not good.

@Link- Link- added cache attention Requires follow-up from maintainers labels Dec 16, 2024
@MikeMcC399
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
attention Requires follow-up from maintainers bug Something isn't working cache
Projects
None yet
Development

No branches or pull requests

2 participants