fix: extract 1 unsafe expression(s) to env vars#20713
fix: extract 1 unsafe expression(s) to env vars#20713alexander-akait merged 1 commit intowebpack:mainfrom
Conversation
|
|
|
|
Please accept CLA |
I just signed it. |
|
@dagecko your email is different in CLA and commits |
|
Hey @alexander-akait, the commit email is [email protected] which is the same one I used for the CLA. Could you let me know what specifically doesn't match? Happy to fix it.
|
|
/easycla |
|
Unfortunately EasyCLA is unhappy, not sure why it doesn't work for you... |
|
Hey @alexander-akait, I just re-signed the CLA through EasyCLA and it looks like it went through this time. Let me know if there's anything else needed.
|
Merging this PR will degrade performance by 32.08%
Performance Changes
Comparing 
|
|
This PR is packaged and the instant preview is available (925ba2d). Install it locally:
npm i -D webpack@https://pkg.pr.new/webpack@925ba2d
yarn add -D webpack@https://pkg.pr.new/webpack@925ba2d
pnpm add -D webpack@https://pkg.pr.new/webpack@925ba2d |
2 participants
Security: Harden GitHub Actions workflows
Hey, I found some CI/CD security issues in this repo's GitHub Actions workflows. These are the same vulnerability classes that were exploited in the tj-actions/changed-files supply chain attack. I've been reviewing repos that are affected and submitting fixes where I can.
This PR applies mechanical fixes and flags anything else that needs a manual look. Happy to answer any questions.
Fixes applied
.github/workflows/release-announcement.ymlAdditional findings (manual review recommended)
No additional findings beyond the fixes applied above.
Why this matters
GitHub Actions workflows that use untrusted input in
run:blocks or reference unpinned third-party actions are vulnerable to code injection and supply chain attacks. These are the same vulnerability classes exploited in the tj-actions/changed-files incident which compromised CI secrets across thousands of repositories.How to verify
Review the diff, each change is mechanical and preserves workflow behavior:
${{ }}expressions fromrun:blocks intoenv:mappings, preventing shell injectionIf this PR is not welcome, just close it and I won't send another.