chore(deps): bump actions/setup-node from 6 to 7#379
Conversation
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6 to 7. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v6...v7) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
| with: | ||
| version: 7.6.0 | ||
| - uses: actions/setup-node@v6 | ||
| - uses: actions/setup-node@v7 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
GitHub Actions step uses mutable version tag v7 instead of a pinned commit SHA, allowing the action owner to silently update the tag to malicious code and compromise your CI/CD pipeline.
More details about this
The GitHub Actions step references actions/setup-node using the mutable version tag v7, which can be silently repointed to a different commit by the action owner without your knowledge or approval.
Exploit scenario:
- An attacker gains control of the
actions/setup-noderepository or the GitHub account that maintains it - They update the
v7tag to point to a malicious commit containing backdoored code that steals secrets or injects code into your build - Your workflow runs and uses the compromised
v7tag—since tags can be moved, you automatically run the attacker's malicious version - The backdoored Node.js setup step now has access to
GITHUB_TOKENand repository secrets, allowing the attacker to exfiltrate them or modify your code
This mirrors real attacks like the trivy-action and kics-github-action compromises, where attackers exploited mutable tag references to inject malicious code into CI/CD pipelines.
To resolve this comment:
✨ Commit fix suggestion
- Replace the mutable action reference
actions/setup-node@v7with a full 40-character commit SHA for the exact action version you want to keep using. - Resolve the SHA from the
v7release in theactions/setup-noderepository, then update the step to useuses: actions/setup-node@<full-40-char-sha>. - Keep the existing
with:settings unchanged, for examplenode-version: '16'andcache: 'pnpm', and only change theuses:value. Pinning to a commit SHA prevents the action owner from silently moving the tag to different code later.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
Need help? Review go/semgrep-playbook or Reach out in #security-vulnerabilities on Slack.
You can view more details about this finding in the Semgrep AppSec Platform.
| with: | ||
| version: 7.6.0 | ||
| - uses: actions/setup-node@v6 | ||
| - uses: actions/setup-node@v7 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
The actions/setup-node@v7 reference uses a mutable tag instead of a pinned commit SHA, allowing the action owner to silently update what code runs in your workflow.
More details about this
The actions/setup-node@v7 step uses a mutable version tag (v7) instead of a pinned commit SHA. Since v7 is a floating tag, the action owner can silently update what code runs under this tag without your knowledge.
Attack scenario: An attacker who compromises the actions/setup-node repository could push a malicious update to the v7 tag. The next time this workflow runs, your job would execute the compromised version of setup-node, potentially allowing the attacker to:
- Inject malicious code into your build environment
- Exfiltrate your
GITHUB_TOKEN(which has permissions to push to your repository) - Modify your source code or build artifacts before they're deployed
This mirrors real-world supply-chain attacks like the trivy-action and kics-github-action compromises, where attackers gained access through mutable action references and used it to push malicious code to users' repositories.
To resolve this comment:
✨ Commit fix suggestion
-
Replace the mutable action reference
actions/setup-node@v7with a full 40-character commit SHA for the exactv7release you intend to trust, for exampleuses: actions/setup-node@<full-40-char-sha>. -
Keep the existing
withblock unchanged so only the action reference changes. -
Get the SHA from the
actions/setup-noderelease or tag you want to use, then pin that exact commit in the workflow file. Pinning to a commit prevents the action owner from movingv7to different code later.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
Need help? Review go/semgrep-playbook or Reach out in #security-vulnerabilities on Slack.
You can view more details about this finding in the Semgrep AppSec Platform.
Bumps actions/setup-node from 6 to 7.
Release notes
Sourced from actions/setup-node's releases.
... (truncated)
Commits
8207627Migrate to ESM and upgrade dependencies (#1574)04be95cAdd cache-primary-key and cache-matched-key as outputs (#1577)7c2c68ddocs: Update caching recommendations to mitigate cache poisoning risks (#1567)6a61c03Merge pull request #1569 from jasongin/update-actions-cache-5.1.030eb73bResolve high-severity audit issues4e1a87aUpdate dist360237fStrict equality4f8aac5Bump@actions/cacheto 5.1.0, log cache write deniedf4a67bbOnly usemirrorTokeningetManifestif it's provided (#1548)0355742Remove dummy NODE_AUTH_TOKEN export (#1558)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
CI-only dependency bump with unchanged Node version and pnpm cache settings; main v7 risk is cache/action behavior changes, which should surface in workflow runs.
Overview
Upgrades
actions/setup-nodefrom v6 to v7 in the release and pull-request CI workflows.Both jobs still use Node 16 and
cache: 'pnpm'; only the action version reference changes.Reviewed by Cursor Bugbot for commit f62e1c8. Bugbot is set up for automated code reviews on this repo. Configure here.