[Security] Workflow format-pr.yml is using vulnerable action peter-evans/create-pull-request
akulpillai opened this issue · comments
The workflow format-pr.yml is referencing action peter-evans/create-pull-request using references v2. However this reference is missing the commit 9507cdc7ac7c51349ae407533e709b92b594e6d1 which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.
thanks! I think we are going to remove this GHA due to domluna/JuliaFormatter.jl#526 for now anyways
edit: I think it's removed on the master
branch so I think I'll close this