Skip to content

chore(deps): bump actions/setup-node from 6 to 7#379

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/setup-node-7
Open

chore(deps): bump actions/setup-node from 6 to 7#379
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/setup-node-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/setup-node from 6 to 7.

Release notes

Sourced from actions/setup-node's releases.

v7.0.0

What's Changed

Enhancements:

Bug fixes:

Documentation updates:

Dependency update:

New Contributors

Full Changelog: actions/setup-node@v6...v7.0.0

v6.5.0

What's Changed

Full Changelog: actions/setup-node@v6.4.0...v6.5.0

v6.4.0

What's Changed

Dependency updates:

New Contributors

Full Changelog: actions/setup-node@v6...v6.4.0

v6.3.0

What's Changed

Enhancements:

... (truncated)

Commits
  • 8207627 Migrate to ESM and upgrade dependencies (#1574)
  • 04be95c Add cache-primary-key and cache-matched-key as outputs (#1577)
  • 7c2c68d docs: Update caching recommendations to mitigate cache poisoning risks (#1567)
  • 6a61c03 Merge pull request #1569 from jasongin/update-actions-cache-5.1.0
  • 30eb73b Resolve high-severity audit issues
  • 4e1a87a Update dist
  • 360237f Strict equality
  • 4f8aac5 Bump @​actions/cache to 5.1.0, log cache write denied
  • f4a67bb Only use mirrorToken in getManifest if it's provided (#1548)
  • 0355742 Remove dummy NODE_AUTH_TOKEN export (#1558)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
CI-only dependency bump with unchanged Node version and pnpm cache settings; main v7 risk is cache/action behavior changes, which should surface in workflow runs.

Overview
Upgrades actions/setup-node from v6 to v7 in the release and pull-request CI workflows.

Both jobs still use Node 16 and cache: 'pnpm'; only the action version reference changes.

Reviewed by Cursor Bugbot for commit f62e1c8. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6 to 7.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v6...v7)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Jul 14, 2026
with:
version: 7.6.0
- uses: actions/setup-node@v6
- uses: actions/setup-node@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

GitHub Actions step uses mutable version tag v7 instead of a pinned commit SHA, allowing the action owner to silently update the tag to malicious code and compromise your CI/CD pipeline.

More details about this

The GitHub Actions step references actions/setup-node using the mutable version tag v7, which can be silently repointed to a different commit by the action owner without your knowledge or approval.

Exploit scenario:

  1. An attacker gains control of the actions/setup-node repository or the GitHub account that maintains it
  2. They update the v7 tag to point to a malicious commit containing backdoored code that steals secrets or injects code into your build
  3. Your workflow runs and uses the compromised v7 tag—since tags can be moved, you automatically run the attacker's malicious version
  4. The backdoored Node.js setup step now has access to GITHUB_TOKEN and repository secrets, allowing the attacker to exfiltrate them or modify your code

This mirrors real attacks like the trivy-action and kics-github-action compromises, where attackers exploited mutable tag references to inject malicious code into CI/CD pipelines.

To resolve this comment:

✨ Commit fix suggestion
  1. Replace the mutable action reference actions/setup-node@v7 with a full 40-character commit SHA for the exact action version you want to keep using.
  2. Resolve the SHA from the v7 release in the actions/setup-node repository, then update the step to use uses: actions/setup-node@<full-40-char-sha>.
  3. Keep the existing with: settings unchanged, for example node-version: '16' and cache: 'pnpm', and only change the uses: value. Pinning to a commit SHA prevents the action owner from silently moving the tag to different code later.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

Need help? Review go/semgrep-playbook or Reach out in #security-vulnerabilities on Slack.

You can view more details about this finding in the Semgrep AppSec Platform.

with:
version: 7.6.0
- uses: actions/setup-node@v6
- uses: actions/setup-node@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

The actions/setup-node@v7 reference uses a mutable tag instead of a pinned commit SHA, allowing the action owner to silently update what code runs in your workflow.

More details about this

The actions/setup-node@v7 step uses a mutable version tag (v7) instead of a pinned commit SHA. Since v7 is a floating tag, the action owner can silently update what code runs under this tag without your knowledge.

Attack scenario: An attacker who compromises the actions/setup-node repository could push a malicious update to the v7 tag. The next time this workflow runs, your job would execute the compromised version of setup-node, potentially allowing the attacker to:

  1. Inject malicious code into your build environment
  2. Exfiltrate your GITHUB_TOKEN (which has permissions to push to your repository)
  3. Modify your source code or build artifacts before they're deployed

This mirrors real-world supply-chain attacks like the trivy-action and kics-github-action compromises, where attackers gained access through mutable action references and used it to push malicious code to users' repositories.

To resolve this comment:

✨ Commit fix suggestion
  1. Replace the mutable action reference actions/setup-node@v7 with a full 40-character commit SHA for the exact v7 release you intend to trust, for example uses: actions/setup-node@<full-40-char-sha>.

  2. Keep the existing with block unchanged so only the action reference changes.

  3. Get the SHA from the actions/setup-node release or tag you want to use, then pin that exact commit in the workflow file. Pinning to a commit prevents the action owner from moving v7 to different code later.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

Need help? Review go/semgrep-playbook or Reach out in #security-vulnerabilities on Slack.

You can view more details about this finding in the Semgrep AppSec Platform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code

Development

Successfully merging this pull request may close these issues.

0 participants