Skip to content

chore(deps): update actions/setup-node action to v3.9.1 #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate-sh-app wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update actions/setup-node action to v3.9.1 #150

renovate-sh-app wants to merge 1 commit into from

Conversation

@renovate-sh-app
Copy link

@renovate-sh-app renovate-sh-app bot commented Oct 17, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
actions/setup-node action minor v3.5.1v3.9.1

Release Notes

actions/setup-node (actions/setup-node)

v3.9.1

Compare Source

What's Changed

Full Changelog: actions/setup-node@v3...v3.9.1

v3.9.0

Compare Source

What's Changed

  • Upgrade @​actions/cache to 4.0.3 by @​gowridurgad in #​1270
    In scope of this release we updated actions/cache package to ensure continued support and compatibility, as older versions of the package are now deprecated. For more information please refer to the toolkit/cache.

Full Changelog: actions/setup-node@v3...v3.9.0

v3.8.2

Compare Source

What's Changed

Full Changelog: actions/setup-node@v3...v3.8.2

v3.8.1

Compare Source

What's Changed

In scope of this release, the filter was removed within the cache-save step by @​dmitry-shibanov in #​831. It is filtered and checked in the toolkit/cache library.

Full Changelog: actions/setup-node@v3...v3.8.1

v3.8.0

Compare Source

What's Changed

Bug fixes:
Feature implementations:
  • feat: handling the case where "node" is used for tool-versions file. by @​xytis in #​812
Documentation changes:
Update dependencies:

New Contributors

Full Changelog: actions/setup-node@v3...v3.8.0

v3.7.0

Compare Source

What's Changed

In scope of this release we added a logic to save an additional cache path for yarn 3 (related pull request and feature request). Moreover, we added functionality to use all the sub directories derived from cache-dependency-path input and add detect all dependencies directories to cache (related pull request and feature request).

Besides, we made such changes as:

New Contributors

Full Changelog: actions/setup-node@v3...v3.7.0

v3.6.0: Add Support for Nightly, Canary and RC builds for Node.js

Compare Source

In scope of this release we added support to download nightly, rc (#​611) and canary (#​619) Node.js distributions.

For nightly versions:
jobs:
  build:
    runs-on: ubuntu-latest
    name: Node sample
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '16-nightly'
      - run: npm ci
      - run: npm test
For canary versions:
jobs:
  build:
    runs-on: ubuntu-latest
    name: Node sample
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '16-v8-canary’
      - run: npm ci
      - run: npm test
For rc versions:
jobs:
  build:
    runs-on: ubuntu-latest
    name: Node sample
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '16.0.0-rc.1’
      - run: npm ci
      - run: npm test

Note: For more examples please refer to documentation.

Besides, we added the following changes as:

  • Updated minimatch: #​608
  • Fixed extra newline character in version output when reading from a file: #​625
  • Passed the token input through on GHES: #​595
  • Fixed issue with scoped registries are duplicated in npmrc: #​637

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app
chore(deps): update actions/setup-node action to v3.9.1
c4b434c 
| datasource  | package            | from   | to     |
| ----------- | ------------------ | ------ | ------ |
| github-tags | actions/setup-node | v3.5.1 | v3.9.1 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@github-actions github-actions bot added this to the 1.0.x milestone Oct 17, 2025
@github-actions
Copy link

github-actions bot commented Oct 17, 2025

😢 zizmor failed with exit code 14.

Expand for full output 
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/auto-milestone.yml:2:1
  |
2 | / on:
3 | |   pull_request_target:
4 | |     types:
5 | |       - opened
6 | |       - reopened
7 | |       - closed
8 | |       - ready_for_review
  | |________________________^ pull_request_target is almost always used insecurely
  |
  = note: audit confidence → Medium

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/backport.yml:2:1
  |
2 | / on:
3 | |   pull_request_target:
4 | |     types:
5 | |       - closed
6 | |       - labeled
  | |_______________^ pull_request_target is almost always used insecurely
  |
  = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/bump-version.yml:13:9
   |
13 |       - uses: actions-ecosystem/action-regex-match@v2.0.2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/issue-add-to-parent-project.yml:97:52
   |
89 |         run: |
   |         --- this run block
...
97 |             }' -f project=$PROJECT_ID -f issue=${{ github.event.issue.node_id }} --jq '.data.addProjectV2ItemById.item.id')"
   |                                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/issue-commands.yml:37:9
   |
37 |       - uses: hmarr/debug-action@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/levitate-report.yml:3:1
  |
3 | / on:
4 | |   workflow_run:
5 | |     workflows: ["Levitate / Detect breaking changes"]
6 | |     types: [completed]
  | |______________________^ workflow_run is almost always used insecurely
  |
  = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/levitate-report.yml:97:9
   |
97 |         uses: marocchino/sticky-pull-request-comment@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
  --> ./.github/workflows/pr-checks.yml:2:1
   |
 2 | / on:
 3 | |   pull_request_target:
 4 | |     types:
 5 | |       - opened
...  |
14 | |       - milestoned
15 | |       - demilestoned
   | |____________________^ pull_request_target is almost always used insecurely
   |
   = note: audit confidence → Medium

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/pr-commands.yml:2:1
  |
2 | / on:
3 | |   pull_request_target:
4 | |     types:
5 | |       - opened
6 | |       - synchronize
  | |___________________^ pull_request_target is almost always used insecurely
  |
  = note: audit confidence → Medium

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/pr-comment-on-trigger.yml:3:1
  |
3 | / on:
4 | |   workflow_run:
5 | |     workflows: ["pr-trigger-workflow-in-main"]
6 | |     types: [completed]
  | |______________________^ workflow_run is almost always used insecurely
  |
  = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/pr-comment-on-trigger.yml:67:7
   |
67 |       uses: marocchino/sticky-pull-request-comment@v2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/update-trending-base.yml:46:25
   |
39 |         uses: actions/github-script@v7
   |         ------------------------------ action accepts arbitrary code
...
43 |           script: |
   |           ------ via this input
...
46 |               org: '${{ inputs.project_owner }}',
   |                         ^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/update-trending-base.yml:47:32
   |
39 |         uses: actions/github-script@v7
   |         ------------------------------ action accepts arbitrary code
...
43 |           script: |
   |           ------ via this input
...
47 |               field_name: '${{ inputs.field_name }}',
   |                                ^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/update-trending-base.yml:34:9
   |
34 |         uses: kaisugi/action-regex-match@v1.0.1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/update-trending-base.yml:93:9
   |
93 |         uses: monry/actions-get-project-id@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/update-trending-base.yml:108:9
    |
108 |         uses: monry/actions-get-project-item-id@v2
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/update-trending-base.yml:114:9
    |
114 |       - uses: titoportas/update-project-fields@v0.1.0
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

146 findings (38 ignored, 91 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 17 high

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

update-minor

Projects

None yet

Milestone

1.0.x

Development

Successfully merging this pull request may close these issues.

0 participants