Skip to content

SECVULN-37255: upgrade dependencies to resolve CVE-2026-22036#66

Merged
ryancragun merged 1 commit intomainfrom
ryan/CVE-2026-22036
Feb 3, 2026
Merged

SECVULN-37255: upgrade dependencies to resolve CVE-2026-22036#66
ryancragun merged 1 commit intomainfrom
ryan/CVE-2026-22036

Conversation

@ryancragun
Copy link
Copy Markdown
Contributor

@ryancragun ryancragun commented Feb 3, 2026
edited
Loading

How to read this pull request

Upgrade the following packages to remove a transitive dependency on undici < 6.23.0:

  • @actions/core => ^3.0.0
  • @actions/exec => ^3.0.0
  • @actions/http-client => ^4.0.0
  • @actions/tool-cache => ^4.0.0

Since I was upgrading these outdated packages I also took the time to upgrade other outdated packages to the latest:

  • globals => ^17.3.0
  • vitest => ^4.0.18

Upgrading our dep modules to ESM required refactoring some of our vitest tests. Spying properties changed with ESM imports so I had to make some changes there.

We also bump to v1.5 since so many of our dependencies changed.

Resolves: GHSA-g9mf-h72j-4rw9

Checklist

  • The commit message includes an explanation of the changes
  • Manual validation of the changes have been performed (if possible)
  • New or modified code has requisite test coverage (if possible)
  • I have performed a self-review of the changes
  • I have made necessary changes and/or pull requests for documentation
  • I have written useful comments in the code

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.
  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
  • If applicable, I've documented the impact of any changes to security controls.

@ryancragun
SECVULN-37255: upgrade dependencies to resolve CVE-2026-22036
e599d5d 
Upgrade the following packages to remove a transitive dependency on
undici < 7.0.0:
  - @actions/core => ^3.0.0
  - @actions/exec => ^3.0.0
  - @actions/http-client => ^4.0.0
  - @actions/tool-cache => ^4.0.0

Since I was upgrading these outdated packages I also took the time to
upgrade other outdated packages to the latest:
  - globals => ^17.3.0
  - vitest => ^4.0.18

Upgrading vitest required refactoring them to handle browser mode and
the changes in spying.

We also bump to v1.5 since so many of our dependencies changed.

Signed-off-by: Ryan Cragun <me@ryan.ec>
@ryancragun ryancragun requested a review from a team as a code owner February 3, 2026 18:06
@ryancragun ryancragun requested review from a team, brewgator, raskchanky and tvo0813 and removed request for a team February 3, 2026 18:08
@ryancragun ryancragun merged commit 17b90fc into main Feb 3, 2026
8 checks passed
@ryancragun ryancragun deleted the ryan/CVE-2026-22036 branch February 3, 2026 19:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brewgator brewgator Awaiting requested review from brewgator brewgator is a code owner automatically assigned from hashicorp/team-vault-quality

@tvo0813 tvo0813 Awaiting requested review from tvo0813 tvo0813 is a code owner automatically assigned from hashicorp/team-vault-quality

1 more reviewer

@raskchanky raskchanky raskchanky approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ryancragun @raskchanky