Situation

npm audit and Dependabot report a high severity vulnerability CVE-2026-26278 (GHSA-jmr7-xgp7-cmfj) in the transient dependency [email protected] of @actions/[email protected]

Change

Update to [email protected] by uninstalling @actions/cache and reinstalling @actions/[email protected]

• Note: the action is not compatible with @actions/cache@6 because this is an ESM-only module. npm run build fails. See enhancement request Migrate to ESM #1647.

Verification

git clean -xfd
npm ci
npm audit --omit=dev

Confirm there are no production severities reported.

• Note: devDependencies currently contain a vulnerability from ajv as a transient dependency of eslint. This is a known open issue requiring action in the eslint repo.