Compare commits

..

1 Commits

Author SHA1 Message Date
dependabot[bot] 29387563f5 Bump actions/checkout from 6 to 7
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-22 07:04:51 +00:00
28 changed files with 24692 additions and 1504 deletions
+10 -10
View File
@@ -21,7 +21,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Clean global cache
run: npm cache clean --force
- name: Setup Node
@@ -44,7 +44,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
@@ -77,7 +77,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Yarn version
run: yarn --version
- name: Generate yarn file
@@ -109,7 +109,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Update yarn
run: yarn set version 3.6.4
- name: Yarn version
@@ -143,7 +143,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: prepare sub-projects
run: __tests__/prepare-yarn-subprojects.sh yarn1
@@ -170,7 +170,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: prepare sub-projects
run: __tests__/prepare-yarn-subprojects.sh keepcache keepcache
@@ -197,7 +197,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: prepare sub-projects
run: __tests__/prepare-yarn-subprojects.sh global
@@ -224,7 +224,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: prepare sub-projects
run: /bin/bash __tests__/prepare-yarn-subprojects.sh keepcache
@@ -253,7 +253,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Create package.json with packageManager field
run: |
echo '{ "name": "test-project", "version": "1.0.0", "packageManager": "npm@8.0.0" }' > package.json
@@ -278,7 +278,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Create package.json with devEngines field
run: |
echo '{
+2 -2
View File
@@ -25,7 +25,7 @@ jobs:
env:
https_proxy: http://squid-proxy:3128
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Clear tool cache
run: rm -rf $RUNNER_TOOL_CACHE/*
- name: Setup node 24
@@ -41,7 +41,7 @@ jobs:
https_proxy: http://no-such-proxy:3128
no_proxy: api.github.com,github.com,nodejs.org,registry.npmjs.org,*.s3.amazonaws.com,s3.amazonaws.com
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Clear tool cache
run: rm -rf $RUNNER_TOOL_CACHE/*
- name: Setup node 24
@@ -14,7 +14,7 @@ jobs:
steps:
- name: Checking out
uses: actions/checkout@v6
uses: actions/checkout@v7
- name: Publish
id: publish
uses: actions/publish-immutable-action@v0.0.4
+15 -15
View File
@@ -20,7 +20,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup Node
uses: ./
with:
@@ -37,7 +37,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest-large]
node-version: [lts/dubnium, lts/erbium, lts/fermium, lts/*, lts/-1]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup Node
uses: ./
with:
@@ -64,7 +64,7 @@ jobs:
'20.0.0-v8-canary20221101e50e45c9f8'
]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup Node
uses: ./
with:
@@ -84,7 +84,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
node-version: [20-nightly, 25-nightly, 24.0.0-nightly]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup Node
uses: ./
with:
@@ -104,7 +104,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
node-version: [20.0.0-rc.1, 22.14.0-rc.1, 24.0.0-rc.4]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup Node
uses: ./
with:
@@ -124,7 +124,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
node-version: [20.10.0, 22.0.0, 24.9.0]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup Node
uses: ./
with:
@@ -141,7 +141,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
node-version: [20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup Node and check latest
uses: ./
with:
@@ -160,7 +160,7 @@ jobs:
node-version-file:
[.nvmrc, .tool-versions, .tool-versions-node, package.json]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup node from node version file
uses: ./
with:
@@ -175,7 +175,7 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup node from node version file
uses: ./
with:
@@ -190,7 +190,7 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup node from node version file
uses: ./
with:
@@ -205,7 +205,7 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup node from node version file
uses: ./
with:
@@ -221,7 +221,7 @@ jobs:
os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
node-version: [21, 23]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup Node from dist
uses: ./
with:
@@ -237,7 +237,7 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest-large]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
# test old versions which didn't have npm and layout different
- name: Setup node 0.12.18 from dist
uses: ./
@@ -250,7 +250,7 @@ jobs:
arch:
runs-on: windows-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup node 20 x86 from dist
uses: ./
with:
@@ -274,7 +274,7 @@ jobs:
echo "LATEST_NODE_VERSION=$latestNodeVersion" >> $GITHUB_OUTPUT
id: version
shell: bash
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Setup Node
uses: ./
with:
+1 -1
View File
@@ -1,6 +1,6 @@
---
name: "@actions/cache"
version: 5.1.0
version: 5.0.5
type: npm
summary: Actions cache lib
homepage: https://github.com/actions/toolkit/tree/main/packages/cache
+30
View File
@@ -0,0 +1,30 @@
---
name: "@fastify/busboy"
version: 2.1.1
type: npm
summary: A streaming parser for HTML form data for node.js
homepage:
license: mit
licenses:
- sources: LICENSE
text: |-
Copyright Brian White. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to
deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
notices: []
-11
View File
@@ -1,11 +0,0 @@
---
name: "@nodable/entities"
version: 2.2.0
type: npm
summary: Entity parser for XML, HTML, External entites with security and NCR control
homepage:
license: mit
licenses:
- sources: README.md
text: MIT
notices: []
+1 -1
View File
@@ -1,6 +1,6 @@
---
name: fast-xml-builder
version: 1.2.0
version: 1.1.4
type: npm
summary: Build XML from JSON without C/C++ based libraries
homepage:
+1 -1
View File
@@ -1,6 +1,6 @@
---
name: fast-xml-parser
version: 5.9.2
version: 5.5.11
type: npm
summary: Validate XML, Parse XML, Build XML without C/C++ based libraries
homepage:
-35
View File
@@ -1,35 +0,0 @@
---
name: is-unsafe
version: 1.0.1
type: npm
summary: Zero-dependency, DOM-free, pure predicate for detecting unsafe strings across
HTML, XML, SVG, SQL, SHELL, and REGEX contexts
homepage:
license: mit
licenses:
- sources: LICENSE
text: |
MIT License
Copyright (c) 2026 Natural Intelligence
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
- sources: README.md
text: MIT
notices: []
+1 -1
View File
@@ -1,6 +1,6 @@
---
name: path-expression-matcher
version: 1.5.0
version: 1.4.0
type: npm
summary: Efficient path tracking and pattern matching for XML/JSON parsers
homepage: https://github.com/NaturalIntelligence/path-expression-matcher#readme
+1 -1
View File
@@ -1,6 +1,6 @@
---
name: strnum
version: 2.4.1
version: 2.2.3
type: npm
summary: Parse String to Number based on configuration
homepage:
@@ -1,6 +1,6 @@
---
name: undici
version: 6.27.0
version: 5.29.0
type: npm
summary: An HTTP/1.1 client, written from scratch for Node.js
homepage: https://undici.nodejs.org
@@ -1,17 +1,16 @@
---
name: anynum
version: 1.0.1
name: undici
version: 6.24.1
type: npm
summary: Normalize all Unicode decimal digits (Devanagari, Arabic, Thai, etc.) to
ASCII numerals. Zero dependencies, performance-first.
homepage:
summary: An HTTP/1.1 client, written from scratch for Node.js
homepage: https://undici.nodejs.org
license: mit
licenses:
- sources: LICENSE
text: |
MIT License
Copyright (c) 2026 Natural Intelligence
Copyright (c) Matteo Collina and Undici contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
-12
View File
@@ -1,12 +0,0 @@
---
name: xml-naming
version: 0.1.0
type: npm
summary: Validates XML name productions — Name, NCName, QName, NMToken, NMTokens —
for XML 1.0 and 1.1
homepage:
license: mit
licenses:
- sources: README.md
text: MIT
notices: []
-10
View File
@@ -1,10 +0,0 @@
{
"printWidth": 80,
"tabWidth": 2,
"useTabs": false,
"semi": true,
"singleQuote": true,
"trailingComma": "none",
"bracketSpacing": false,
"arrowParens": "avoid"
}
-3
View File
@@ -119,7 +119,6 @@ steps:
- uses: actions/setup-node@v6
with:
node-version: 24
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
@@ -218,7 +217,6 @@ jobs:
uses: actions/setup-node@v6
with:
node-version: ${{ matrix.node }}
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
@@ -234,7 +232,6 @@ uses: actions/setup-node@v6
with:
token: ${{ secrets.GH_DOTCOM_TOKEN }}
node-version: 24
package-manager-cache: false # Disable automatic npm caching if not required
```
If the runner is not able to access github.com, any Nodejs versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information.
+1 -19
View File
@@ -137,7 +137,6 @@ describe('cache-restore', () => {
] as const)(
'restored dependencies for %s',
async (packageManager, toolVersion, fileHash) => {
const expectedCacheKey = `node-cache-${platform}-${arch}-${packageManager}-${fileHash}`;
// Set workspace to the appropriate fixture folder
setWorkspaceFor(packageManager);
getCommandOutputSpy.mockImplementation((command: string) => {
@@ -151,20 +150,12 @@ describe('cache-restore', () => {
await restoreCache(packageManager, '');
expect(hashFilesSpy).toHaveBeenCalled();
expect(infoSpy).toHaveBeenCalledWith(
`Cache restored from key: ${expectedCacheKey}`
`Cache restored from key: node-cache-${platform}-${arch}-${packageManager}-${fileHash}`
);
expect(infoSpy).not.toHaveBeenCalledWith(
`${packageManager} cache is not found`
);
expect(setOutputSpy).toHaveBeenCalledWith('cache-hit', true);
expect(setOutputSpy).toHaveBeenCalledWith(
'cache-primary-key',
expectedCacheKey
);
expect(setOutputSpy).toHaveBeenCalledWith(
'cache-matched-key',
expectedCacheKey
);
}
);
});
@@ -178,7 +169,6 @@ describe('cache-restore', () => {
] as const)(
'dependencies are changed %s',
async (packageManager, toolVersion, fileHash) => {
const expectedCacheKey = `node-cache-${platform}-${arch}-${packageManager}-${fileHash}`;
// Set workspace to the appropriate fixture folder
setWorkspaceFor(packageManager);
getCommandOutputSpy.mockImplementation((command: string) => {
@@ -196,14 +186,6 @@ describe('cache-restore', () => {
`${packageManager} cache is not found`
);
expect(setOutputSpy).toHaveBeenCalledWith('cache-hit', false);
expect(setOutputSpy).toHaveBeenCalledWith(
'cache-primary-key',
expectedCacheKey
);
expect(setOutputSpy).toHaveBeenCalledWith(
'cache-matched-key',
undefined
);
}
);
});
+1 -3
View File
@@ -343,9 +343,7 @@ describe('run', () => {
expect(getInputSpy).not.toHaveBeenCalled();
expect(getStateSpy).toHaveBeenCalledTimes(4);
expect(getCommandOutputSpy).toHaveBeenCalledTimes(0);
expect(debugSpy).toHaveBeenLastCalledWith(
`Cache was not saved for the key: ${yarnFileHash}`
);
expect(debugSpy).toHaveBeenCalledTimes(0);
expect(infoSpy).not.toHaveBeenCalledWith(
`Cache hit occurred on the primary key ${npmFileHash}, not saving cache.`
);
-4
View File
@@ -34,10 +34,6 @@ inputs:
outputs:
cache-hit:
description: 'A boolean value to indicate if a cache was hit.'
cache-primary-key:
description: 'The key used to restore and save the cache.'
cache-matched-key:
description: 'The key of the cache that was restored. Empty when no cache is found.'
node-version:
description: 'The installed node version.'
runs:
+98 -336
View File
File diff suppressed because one or more lines are too long
+23972 -336
View File
File diff suppressed because one or more lines are too long
+1 -23
View File
@@ -69,7 +69,6 @@ steps:
with:
node-version: '24'
check-latest: true
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
@@ -87,7 +86,6 @@ steps:
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
@@ -133,7 +131,6 @@ jobs:
with:
node-version: '24'
architecture: 'x64' # optional, x64 or x86. If not specified, x64 will be used by default
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
@@ -154,7 +151,6 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version: '24.0.0-v8-canary' # it will install the latest v8 canary release for node 24.0.0
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
@@ -170,7 +166,6 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version: '24-v8-canary' # it will install the latest v8 canary release for node 24
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
@@ -187,7 +182,6 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version: 'v24.0.0-v8-canary2025030537242e55ac'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
@@ -208,7 +202,6 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version: '24-nightly' # it will install the latest nightly release for node 24
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
@@ -225,7 +218,6 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version: '24.0.0-nightly' # it will install the latest nightly release for node 24.0.0
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
@@ -242,7 +234,6 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version: '24.0.0-nightly202505066102159fa1'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
@@ -261,12 +252,11 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version: '24.0.0-rc.4'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
**Note**: Unlike nightly versions, which support version range specifiers, you must specify the exact version for a release candidate: `24.0.0-rc.4`.
**Note:** Unlike nightly versions, which support version range specifiers, you must specify the exact version for a release candidate: `24.0.0-rc.4`.
## Caching packages data
The action follows [actions/cache](https://github.com/actions/cache/blob/main/examples.md#node---npm) guidelines, and caches global cache on the machine instead of `node_modules`, so cache can be reused between different Node.js versions.
@@ -354,7 +344,6 @@ steps:
uses: actions/setup-node@v6
with:
node-version: '24'
package-manager-cache: false # Disable automatic npm caching if not required
- name: Normalize runner architecture
shell: bash
@@ -415,7 +404,6 @@ jobs:
with:
node-version: ${{ matrix.node_version }}
architecture: ${{ matrix.architecture }}
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci
- run: npm test
```
@@ -428,7 +416,6 @@ steps:
with:
node-version: '24.x'
registry-url: 'https://registry.npmjs.org'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: npm ci
- run: npm publish
env:
@@ -436,7 +423,6 @@ steps:
- uses: actions/setup-node@v6
with:
registry-url: 'https://npm.pkg.github.com'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -450,7 +436,6 @@ steps:
with:
node-version: '24.x'
registry-url: <registry url>
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: yarn install --frozen-lockfile
- run: yarn publish
env:
@@ -458,7 +443,6 @@ steps:
- uses: actions/setup-node@v6
with:
registry-url: 'https://npm.pkg.github.com'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: yarn publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -472,7 +456,6 @@ steps:
with:
node-version: '24.x'
registry-url: 'https://registry.npmjs.org'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
# Skip post-install scripts here, as a malicious
# script could steal NODE_AUTH_TOKEN.
- run: npm ci --ignore-scripts
@@ -492,7 +475,6 @@ steps:
- uses: actions/setup-node@v6
with:
node-version: '24.x'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- name: Setup .yarnrc.yml
run: |
yarn config set npmScopes.my-org.npmRegistryServer "https://npm.pkg.github.com"
@@ -523,8 +505,6 @@ Trusted publishing requires a compatible npm version:
You must also configure a **Trusted Publisher** in npm for your package/scope that matches your GitHub repository and workflow (and optional environment, if used).
> **Note**: In publishing workflows, set `package-manager-cache: false` because setup-node enables npm caching automatically when `package.json` specifies npm via `packageManager` or `devEngines.packageManager` (see [Running without a lockfile](#running-without-a-lockfile)), and a poisoned cache may expose credentials (including OIDC tokens) to attacker-controlled code.
### Example workflow
```yaml
@@ -539,7 +519,6 @@ You must also configure a **Trusted Publisher** in npm for your package/scope th
with:
node-version: '24'
registry-url: 'https://registry.npmjs.org'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: npm ci
- run: npm run build --if-present
@@ -563,5 +542,4 @@ The token will be passed in the `Authorization` header.
node-version: '24.x'
mirror: 'https://nodejs.org/dist'
mirror-token: 'your-mirror-token'
cache-package-manager: false # Disable automatic npm caching if not required
```
-74
View File
@@ -1,74 +0,0 @@
// This is a reusable configuration file copied from https://github.com/actions/reusable-workflows/tree/main/reusable-configurations. Please don't make changes to this file as it's the subject of an automatic update.
import js from '@eslint/js';
import tsParser from '@typescript-eslint/parser';
import tsPlugin from '@typescript-eslint/eslint-plugin';
import jest from 'eslint-plugin-jest';
import n from 'eslint-plugin-n';
import prettier from 'eslint-config-prettier';
import globals from 'globals';
export default [
{
ignores: ['**/*', '!src/**', '!__tests__/**']
},
js.configs.recommended,
{
files: ['**/*.ts'],
languageOptions: {
parser: tsParser,
ecmaVersion: 2022,
sourceType: 'module',
globals: {
...globals.node,
...globals.es2015
}
},
plugins: {
'@typescript-eslint': tsPlugin,
n
},
rules: {
...tsPlugin.configs.recommended.rules,
'@typescript-eslint/no-require-imports': 'error',
'@typescript-eslint/no-non-null-assertion': 'off',
'@typescript-eslint/no-explicit-any': 'off',
'@typescript-eslint/no-empty-function': 'off',
'@typescript-eslint/ban-ts-comment': [
'error',
{
'ts-ignore': 'allow-with-description'
}
],
'no-console': 'error',
yoda: 'error',
'prefer-const': [
'error',
{
destructuring: 'all'
}
],
'no-control-regex': 'off',
'no-constant-condition': ['error', {checkLoops: false}],
'no-undef': 'off',
'no-useless-assignment': 'off',
'n/no-extraneous-import': 'error'
}
},
{
files: ['**/*{test,spec}.ts'],
plugins: {jest},
languageOptions: {
globals: {
...globals.jest
}
},
rules: {
...jest.configs['flat/recommended'].rules,
'@typescript-eslint/no-unused-vars': 'off',
'jest/no-standalone-expect': 'off',
'jest/no-conditional-expect': 'off',
'no-console': 'off'
}
},
prettier
];
+47 -84
View File
@@ -1,15 +1,15 @@
{
"name": "setup-node",
"version": "6.5.0",
"version": "6.4.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "setup-node",
"version": "6.5.0",
"version": "6.4.0",
"license": "MIT",
"dependencies": {
"@actions/cache": "^5.1.0",
"@actions/cache": "^5.0.5",
"@actions/core": "^2.0.3",
"@actions/exec": "^2.0.0",
"@actions/github": "^6.0.1",
@@ -42,9 +42,9 @@
}
},
"node_modules/@actions/cache": {
"version": "5.1.0",
"resolved": "https://registry.npmjs.org/@actions/cache/-/cache-5.1.0.tgz",
"integrity": "sha512-kTIj4YPrjjRPKSGlj7f8eq+Pijoy/SKBEbJcAwNsQTFGEF29NGqj1mqD02/PmhV6r4bRAixycexAWpmUJ2aCwg==",
"version": "5.0.5",
"resolved": "https://registry.npmjs.org/@actions/cache/-/cache-5.0.5.tgz",
"integrity": "sha512-jiQSg0gfd+C2KPgcmdCOq7dCuCIQQWQ4b1YfGIRaaA9w7PJbRwTOcCz4LiFEUnqZGf0ha/8OKL3BeNwetHzYsQ==",
"license": "MIT",
"dependencies": {
"@actions/core": "^2.0.0",
@@ -112,6 +112,18 @@
"undici": "^5.25.4"
}
},
"node_modules/@actions/github/node_modules/undici": {
"version": "5.29.0",
"resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
"integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
"license": "MIT",
"dependencies": {
"@fastify/busboy": "^2.0.0"
},
"engines": {
"node": ">=14.0"
}
},
"node_modules/@actions/glob": {
"version": "0.5.1",
"resolved": "https://registry.npmjs.org/@actions/glob/-/glob-0.5.1.tgz",
@@ -1035,6 +1047,15 @@
"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
}
},
"node_modules/@fastify/busboy": {
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
"integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
"license": "MIT",
"engines": {
"node": ">=14"
}
},
"node_modules/@humanwhocodes/config-array": {
"version": "0.13.0",
"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.13.0.tgz",
@@ -1532,18 +1553,6 @@
"@jridgewell/sourcemap-codec": "^1.4.14"
}
},
"node_modules/@nodable/entities": {
"version": "2.2.0",
"resolved": "https://registry.npmjs.org/@nodable/entities/-/entities-2.2.0.tgz",
"integrity": "sha512-9uGyhaQavEUMC8AIddIjau4NsnsXhou+j5sBAGojCM1oxmQpVKTWR/9JxABD6UAv12vpIms55fPZKFQEhG6uBg==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/nodable"
}
],
"license": "MIT"
},
"node_modules/@nodelib/fs.scandir": {
"version": "2.1.5",
"resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
@@ -2268,18 +2277,6 @@
"node": ">= 8"
}
},
"node_modules/anynum": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/anynum/-/anynum-1.0.1.tgz",
"integrity": "sha512-N6//FLET/tXYNM/F6ABca1oH6fWB+KlTt909Le28WMDBk8oaT4vY17DCrwg2MvmuqUKt3Ni4N5dGJ/EoBgcO6A==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/NaturalIntelligence"
}
],
"license": "MIT"
},
"node_modules/argparse": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
@@ -3323,9 +3320,9 @@
"license": "MIT"
},
"node_modules/fast-xml-builder": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz",
"integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==",
"version": "1.1.4",
"resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
"integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==",
"funding": [
{
"type": "github",
@@ -3334,14 +3331,13 @@
],
"license": "MIT",
"dependencies": {
"path-expression-matcher": "^1.5.0",
"xml-naming": "^0.1.0"
"path-expression-matcher": "^1.1.3"
}
},
"node_modules/fast-xml-parser": {
"version": "5.9.2",
"resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.9.2.tgz",
"integrity": "sha512-DYPkXnVSJHAGAkSBeVYhEo/seIpz2SLr9OQcX7m6lXaX3gvoB+DCKzFdZIEhZGI3I1DUhObBAUOT/v2xfoXz/w==",
"version": "5.5.11",
"resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.11.tgz",
"integrity": "sha512-QL0eb0YbSTVWF6tTf1+LEMSgtCEjBYPpnAjoLC8SscESlAjXEIRJ7cHtLG0pLeDFaZLa4VKZLArtA/60ZS7vyA==",
"funding": [
{
"type": "github",
@@ -3350,12 +3346,9 @@
],
"license": "MIT",
"dependencies": {
"@nodable/entities": "^2.2.0",
"fast-xml-builder": "^1.2.0",
"is-unsafe": "^1.0.1",
"path-expression-matcher": "^1.5.0",
"strnum": "^2.4.0",
"xml-naming": "^0.1.0"
"fast-xml-builder": "^1.1.4",
"path-expression-matcher": "^1.4.0",
"strnum": "^2.2.3"
},
"bin": {
"fxparser": "src/cli/cli.js"
@@ -3870,18 +3863,6 @@
"url": "https://github.com/sponsors/sindresorhus"
}
},
"node_modules/is-unsafe": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/is-unsafe/-/is-unsafe-1.0.1.tgz",
"integrity": "sha512-CLK2+VdgERgD96EYm5lUQssZYlRg2tkZnbsxZoacmSiRxiFJ4Nk4SzjCl+Ur+v3kXIY9dTIdb3IH22y1mZ56LA==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/NaturalIntelligence"
}
],
"license": "MIT"
},
"node_modules/isexe": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz",
@@ -4996,9 +4977,9 @@
}
},
"node_modules/path-expression-matcher": {
"version": "1.5.0",
"resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz",
"integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==",
"version": "1.4.0",
"resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.4.0.tgz",
"integrity": "sha512-s4DQMxIdhj3jLFWd9LxHOplj4p9yQ4ffMGowFf3cpEgrrJjEhN0V5nxw4Ye1EViAGDoL4/1AeO6qHpqYPOzE4Q==",
"funding": [
{
"type": "github",
@@ -5594,19 +5575,16 @@
}
},
"node_modules/strnum": {
"version": "2.4.1",
"resolved": "https://registry.npmjs.org/strnum/-/strnum-2.4.1.tgz",
"integrity": "sha512-M9eUSMT2dCB2cTNPG7UYj6KuK7RJR2SN2+yCV/fTW3xzTCS6EaGZ5pSMgDIjB7r8zSfTGk+dvvn9rTjpVS9Mwg==",
"version": "2.2.3",
"resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.3.tgz",
"integrity": "sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/NaturalIntelligence"
}
],
"license": "MIT",
"dependencies": {
"anynum": "^1.0.1"
}
"license": "MIT"
},
"node_modules/supports-color": {
"version": "7.2.0",
@@ -5845,9 +5823,9 @@
}
},
"node_modules/undici": {
"version": "6.27.0",
"resolved": "https://registry.npmjs.org/undici/-/undici-6.27.0.tgz",
"integrity": "sha512-YmfV3YnEDzXRC5lZ2jWtWWHKGUm1zIt8AhesR1tens+HTNv+YZlN/dp6G727LOvMJ8xjP9Be7Y2Sdr96LDm+pg==",
"version": "6.24.1",
"resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz",
"integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==",
"license": "MIT",
"engines": {
"node": ">=18.17"
@@ -6003,21 +5981,6 @@
"node": "^12.13.0 || ^14.15.0 || >=16.0.0"
}
},
"node_modules/xml-naming": {
"version": "0.1.0",
"resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz",
"integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/NaturalIntelligence"
}
],
"license": "MIT",
"engines": {
"node": ">=16.0.0"
}
},
"node_modules/y18n": {
"version": "5.0.8",
"resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
+2 -6
View File
@@ -1,6 +1,6 @@
{
"name": "setup-node",
"version": "6.5.0",
"version": "6.4.0",
"private": true,
"description": "setup node action",
"main": "lib/setup-node.js",
@@ -28,7 +28,7 @@
"author": "GitHub",
"license": "MIT",
"dependencies": {
"@actions/cache": "^5.1.0",
"@actions/cache": "^5.0.5",
"@actions/core": "^2.0.3",
"@actions/exec": "^2.0.0",
"@actions/github": "^6.0.1",
@@ -55,9 +55,5 @@
"prettier": "^3.6.2",
"ts-jest": "^29.4.1",
"typescript": "^5.4.2"
},
"overrides": {
"undici": "^6.24.1",
"fast-xml-parser": "^5.9.2"
}
}
-3
View File
@@ -45,7 +45,6 @@ export const restoreCache = async (
core.debug(`primary key is ${primaryKey}`);
core.saveState(State.CachePrimaryKey, primaryKey);
core.setOutput('cache-primary-key', primaryKey);
const isManagedByYarnBerry = await repoHasYarnBerryManagedDependencies(
packageManagerInfo,
@@ -62,8 +61,6 @@ export const restoreCache = async (
}
core.setOutput('cache-hit', Boolean(cacheKey));
core.setOutput('cache-matched-key', cacheKey);
core.debug(`cache-matched-key is ${cacheKey}`);
if (!cacheKey) {
core.info(`${packageManager} cache is not found`);
+1 -5
View File
@@ -62,11 +62,7 @@ const cachePackages = async (packageManager: string) => {
}
const cacheId = await cache.saveCache(cachePaths, primaryKey);
if (cacheId === -1) {
// saveCache returns -1 without throwing when the cache was not saved, e.g.
// a reserve collision or a read-only token (fork PR). @actions/cache has
// already logged the reason at the appropriate severity, so just trace it.
core.debug(`Cache was not saved for the key: ${primaryKey}`);
if (cacheId == -1) {
return;
}