Skip to content

Document security problems with cache: true? #1

Description

@karlhorky

Since this action aims to be a drop-in replacement for actions/setup-node, maybe it also takes over the cachiing security vulnerabilities that affected TanStack?

@slorber and others have been talking about this a lot on Twitter, and I've been trying to also highlight this problem with action maintainers:

Maybe it would be an idea to add some kind of warning (or even a gate to prevent it from being configured insecurely)?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions