NPM audit report reports several vulnerabilities and recommends downgrading to v2.0.0

[RonaldPhilipsen]

# npm audit report

@octokit/plugin-paginate-rest  <=9.2.1
Severity: moderate
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-h5c3-5r3r-rr8q
fix available via `npm audit fix`
node_modules/@actions/artifact/node_modules/@octokit/plugin-paginate-rest
  @actions/github  3.0.0 - 5.1.1
  Depends on vulnerable versions of @octokit/core
  Depends on vulnerable versions of @octokit/plugin-paginate-rest
  node_modules/@actions/artifact/node_modules/@actions/github

@octokit/request  <=8.4.0
Severity: moderate
Depends on vulnerable versions of @octokit/request-error
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-rmvr-2pp2-xj38
fix available via `npm audit fix --force`
Will install @github/local-action@2.2.1, which is a breaking change
node_modules/@actions/artifact/node_modules/@octokit/request
  @octokit/core  <=5.0.0-beta.5
  Depends on vulnerable versions of @octokit/graphql
  Depends on vulnerable versions of @octokit/request
  Depends on vulnerable versions of @octokit/request-error
  node_modules/@actions/artifact/node_modules/@octokit/core
    @actions/artifact  >=2.0.0
    Depends on vulnerable versions of @actions/github
    Depends on vulnerable versions of @octokit/core
    node_modules/@actions/artifact
      @github/local-action  >=2.3.0
      Depends on vulnerable versions of @actions/artifact
      node_modules/@github/local-action
  @octokit/graphql  <=2.1.3 || 3.0.0 - 6.0.1
  Depends on vulnerable versions of @octokit/request
  node_modules/@actions/artifact/node_modules/@octokit/graphql

@octokit/request-error  <=5.1.0
Severity: moderate
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-xx4v-prfh-6cgc
fix available via `npm audit fix --force`
Will install @github/local-action@2.2.1, which is a breaking change
node_modules/@actions/artifact/node_modules/@octokit/core/node_modules/@octokit/request-error
node_modules/@actions/artifact/node_modules/@octokit/request/node_modules/@octokit/request-error

8 moderate severity vulnerabilities

[ncalteen]

I just published version 6.0.1 that includes a number of Dependabot updates, however that doesn't look like it resolved the issue. I will take a look and see if I can safely override the vulnerable dependencies.

[ncalteen]

It looks @actions/github is mostly to blame. The Actions Toolkit repo would be the right place to report this issue. Unfortunately, it isn't very well maintained at this point in time. There are a number of issues open regarding outdated/vulnerable dependencies (1, 2, 3, 4, 5 to name a few...). I would recommend opening an issue there, or following this one in particular as it appears closely related.

I have reached out to the owners of that repo multiple times offering to help, but haven't gotten a response back :(

[RonaldPhilipsen]

That's sad, you'd expect microsoft to be all in on their developers developers developers.
Thanks for checking this out, I appreciate the capability this tool gives me

[ncalteen]

I'm glad you find it useful! I will do my best to keep things up to date :)

If you need anything please feel free to comment back on this issue and I will reopen.