Since this action aims to be a drop-in replacement for actions/setup-node, maybe it also takes over the cachiing security vulnerabilities that affected TanStack?
@slorber and others have been talking about this a lot on Twitter, and I've been trying to also highlight this problem with action maintainers:
Maybe it would be an idea to add some kind of warning (or even a gate to prevent it from being configured insecurely)?
Since this action aims to be a drop-in replacement for
actions/setup-node, maybe it also takes over the cachiing security vulnerabilities that affected TanStack?@slorber and others have been talking about this a lot on Twitter, and I've been trying to also highlight this problem with action maintainers:
Maybe it would be an idea to add some kind of warning (or even a gate to prevent it from being configured insecurely)?