chore(deps): bump the actions group across 1 directory with 7 updates#130
Open
dependabot[bot] wants to merge 1 commit into
Open
chore(deps): bump the actions group across 1 directory with 7 updates#130dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
This was referenced May 20, 2026
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions-de29fd4124
branch
from
c85bea3 to
267cda6
Compare
Bumps the actions group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4.3.1` | `6.0.2` | | [actions/setup-node](https://github.com/actions/setup-node) | `4.4.0` | `6.4.0` | | [actions/github-script](https://github.com/actions/github-script) | `7.1.0` | `9.0.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.1` | | [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `2.4.0` | `4.1.0` | | [mnao305/chrome-extension-upload](https://github.com/mnao305/chrome-extension-upload) | `5.0.0` | `6.0.0` | | [actions/cache](https://github.com/actions/cache) | `4.3.0` | `5.0.5` | Updates `actions/checkout` from 4.3.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) Updates `actions/setup-node` from 4.4.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@49933ea...48b55a0) Updates `actions/github-script` from 7.1.0 to 9.0.0 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@f28e40c...3a2844b) Updates `actions/upload-artifact` from 4.6.2 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...043fb46) Updates `actions/attest-build-provenance` from 2.4.0 to 4.1.0 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@e8998f9...a2bbfa2) Updates `mnao305/chrome-extension-upload` from 5.0.0 to 6.0.0 - [Release notes](https://github.com/mnao305/chrome-extension-upload/releases) - [Commits](mnao305/chrome-extension-upload@4008e29...fdfe794) Updates `actions/cache` from 4.3.0 to 5.0.5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@0057852...27d5ce7) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: mnao305/chrome-extension-upload dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions-de29fd4124
branch
from
267cda6 to
390ee84
Compare
Merged
3 tasks
heznpc
added a commit
that referenced
this pull request
May 21, 2026
…arden test execSync (#135) * ci(dependabot): auto-merge minor and patch updates * fix: 2nd-pass audit — wire log.js, enable PVR, fix popup URL check, harden test execSync A self-confirming "done" report from the prior session passed an adversarial second-pass and lost four concrete findings. Same model, same code, real defects. This commit fixes all four; the rest of the audit (Major/Minor) is reported separately. C-1. src/lib/log.js was dead code with false documentation. The original modernization PR (#129) shipped log.js but never added it to manifest.json `content_scripts.js`, and scripts/build-bundle.js only bundles entries from that list. So: - The content-script bundle did not include log.js - `window._skillbridgeLog` did not exist at runtime - The chrome.storage.onChanged listener added in the simplify pass (#132) was code that never executed - CONTRIBUTING.md told contributors to "use it" — anyone following that guidance would hit a ReferenceError on first call - Two PR descriptions claimed it was shipped functionality The fix wires it correctly: `src/lib/log.js` is now listed in manifest.json `content_scripts.js` immediately after `browser-polyfill.js` so subsequent scripts can call `window._skillbridgeLog.createLogger`. Bundled size: 237.1 KB → 122.7 KB (unchanged headroom). Added 13 new tests in tests/log.test.js covering: module surface, createLogger type-guard, prefix format, default threshold silencing, severity routing, multi-arg passthrough, storage.onChanged registration, level-from-storage live update, unknown-level rejection, non-extension-context graceful no-op, AND a manifest- wiring regression guard that asserts log.js stays in the content_scripts list. CONTRIBUTING.md updated to reflect the actual shape (`window._skillbridgeLog.createLogger`). C-2. SECURITY.md promised Private Vulnerability Reporting but the feature was disabled. `gh api .../private-vulnerability-reporting` returned `{"enabled": false}` while SECURITY.md confidently directed reporters to "Report a vulnerability" UI that didn't exist. A would- be reporter falling back to a public issue would defeat the privacy intent. Enabled PVR via `gh api -X PUT .../private-vulnerability- reporting`; SECURITY.md text is now true. C-3. src/popup/popup.js:8 had a CodeQL HIGH alert (js/incomplete-url-substring-sanitization, never triaged by the prior session). `tab?.url?.includes('skilljar.com')` matches `evil.skilljar.com.attacker.example/` and `prefix-skilljar.com/`. Replaced with an `isSkilljarHost` helper that parses the URL and checks `hostname === 'skilljar.com' || endsWith('.skilljar.com')`. Throws are caught (invalid URL → false). C-4. tests/{academy-courses,dict-coverage}-checker.test.js had three CodeQL MEDIUM alerts (js/shell-command-injection-from-environment) on `execSync(\`node ${SCRIPT}\`, ...)` calls. The SCRIPT path is __dirname-derived so there's no real injection vector, but the array form documents that. Switched to `spawnSync(process.execPath, [SCRIPT], ...)`; semantics preserved, all 17 self-tests still pass. Pre-flight: 411/411 jest (+13 from log.test.js), eslint clean, prettier clean, `npm run build:bundle` produces 122.7 KB content bundle that now actually includes log.js. Out of scope for this PR (reported back to the session, awaiting decision): - Major: branch protection currently has `required_pull_request_reviews: null` (0 reviews). CODEOWNERS routing is decorative without enforcement. Solo-maintainer context; toggle is intentional but worth surfacing. - Major: academy-courses-drift cron has been paused since PR #132 due to selector drift; issue #126 open since 2026-05-16. Pre-existing tech debt, not a regression introduced here. - Minor: mnao305/chrome-extension-upload v6.0.0 available (we pin v5.0.0). Dependabot PR #130 covers it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the actions group with 7 updates in the / directory:
4.3.16.0.24.4.06.4.07.1.09.0.04.6.27.0.12.4.04.1.05.0.06.0.04.3.05.0.5Updates
actions/checkoutfrom 4.3.1 to 6.0.2Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Updates
actions/setup-nodefrom 4.4.0 to 6.4.0Release notes
Sourced from actions/setup-node's releases.
... (truncated)
Commits
48b55a0Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)ab72c7eUpgrade@actionsdependencies (#1525)53b8394Bump minimatch from 3.1.2 to 3.1.5 (#1498)54045abScope test lockfiles by package manager and update cache tests (#1495)c882bffReplace uuid with crypto.randomUUID() (#1378)774c1d6feat(node-version-file): support parsingdevEnginesfield (#1283)efcb663fix: remove hardcoded bearer (#1467)d02c89dFix npm audit issues (#1491)6044e13Docs: bump actions/checkout from v5 to v6 (#1468)8e49463Fix README typo (#1226)Updates
actions/github-scriptfrom 7.1.0 to 9.0.0Release notes
Sourced from actions/github-script's releases.
Commits
3a2844bMerge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...ca10bbdfix: use@octokit/core/types import for v7 compatibility86e48e2merge: incorporate main branch changesc108472chore: rebuild dist for v9 upgrade and getOctokit factoryafff112Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...ff8117eci: fix user-agent test to handle orchestration ID81c6b78ci: use deployment: false to suppress deployment noise from integration tests3953cafdocs: update README examples from@v8to@v9, add getOctokit docs and v9 brea...c17d55bci: add getOctokit integration test joba047196test: add getOctokit integration tests via callAsyncFunctionUpdates
actions/upload-artifactfrom 4.6.2 to 7.0.1Release notes
Sourced from actions/upload-artifact's releases.
... (truncated)
Commits
043fb46Merge pull request #797 from actions/yacaovsnc/update-dependency634250cInclude changes in typespec/ts-http-runtime 0.3.5e454baaReadme: bump all the example versions to v7 (#796)74fad66Update the readme with direct upload details (#795)bbbca2dSupport direct file uploads (#764)589182cUpgrade the module to ESM and bump dependencies (#762)47309c9Merge pull request #754 from actions/Link-/add-proxy-integration-tests02a8460Add proxy integration testb7c566aMerge pull request #745 from actions/upload-artifact-v6-releasee516bc8docs: correct description of Node.js 24 support in READMEUpdates
actions/attest-build-provenancefrom 2.4.0 to 4.1.0Release notes
Sourced from actions/attest-build-provenance's releases.
... (truncated)
Commits
a2bbfa2bump actions/attest from 4.0.0 to 4.1.0 (#838)0856891update RELEASE.md docs (#836)e4d4f7cprepare v4 release (#835)02a49bdBump github/codeql-action in the actions-minor group (#824)7c757dfBump the npm-development group with 2 updates (#825)c44148eBump github/codeql-action in the actions-minor group (#818)3234352Bump@types/nodefrom 25.0.10 to 25.2.0 in the npm-development group (#819)18db129Bump tar from 7.5.6 to 7.5.7 (#816)90fadfaBump@actions/corefrom 2.0.1 to 2.0.2 in the npm-production group (#799)57db8baBump the npm-development group across 1 directory with 3 updates (#808)Updates
mnao305/chrome-extension-uploadfrom 5.0.0 to 6.0.0Release notes
Sourced from mnao305/chrome-extension-upload's releases.
Commits
fdfe794update readme712b1f96.0.033a086aUpgrade Node.js version from 20 to 24 (#31)cbba77bdocs: update READMEUpdates
actions/cachefrom 4.3.0 to 5.0.5Release notes
Sourced from actions/cache's releases.
... (truncated)
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
27d5ce7Merge pull request #1747 from actions/yacaovsnc/update-dependencyf280785licensed changes619aeb1npm run build generated dist filesbcf16c2Update ts-http-runtime to 0.3.56682284Merge pull request #1738 from actions/prepare-v5.0.4e340396Update RELEASES8a67110Add licenses1865903Update dependencies & patch security vulnerabilities5656298Merge pull request #1722 from RyPeck/patch-14e380d1Fix cache key in examples.md for bun.lock