Context
While auditing Dependabot alerts #50 and #51 (CVE-2026-47429 in vitest, fixed by PR #4550), I ran npm audit in .github/actions/auto-label/ and found 3 additional vulns in transitive deps:
- undici — HIGH — multiple CVEs (<6.24.0) incl. WebSocket decompression DoS, request smuggling, unbounded decompression
- @actions/http-client — MODERATE — pulls in vulnerable undici
- @actions/github — MODERATE — pinned to ^6.0.1, but fix is 9.1.1
Fix
All three are fixed by upgrading @actions/github to ^9.1.1 (semver-major). This transitively bumps @actions/http-client and pulls in patched undici.
Risk
Semver-major on a runtime dep of a CI-only action. Need to verify the GitHub API surface used by auto-label/index.js is compatible. Quick scan shows the action only uses:
github.getOctokit(token)octokit.rest.issues.getoctokit.rest.issues.addLabelscore.getInput, core.setOutput, etc.
These are stable across 6.x→9.x but worth a smoke test in a PR.
Related
Context
While auditing Dependabot alerts #50 and #51 (CVE-2026-47429 in vitest, fixed by PR #4550), I ran
npm auditin.github/actions/auto-label/and found 3 additional vulns in transitive deps:Fix
All three are fixed by upgrading
@actions/githubto^9.1.1(semver-major). This transitively bumps@actions/http-clientand pulls in patchedundici.Risk
Semver-major on a runtime dep of a CI-only action. Need to verify the GitHub API surface used by
auto-label/index.jsis compatible. Quick scan shows the action only uses:github.getOctokit(token)octokit.rest.issues.getoctokit.rest.issues.addLabelscore.getInput,core.setOutput, etc.These are stable across 6.x→9.x but worth a smoke test in a PR.
Related