Getting security alerts while using this action for enterprise project

Question

Getting security alerts while using this action for enterprise project

manoj27730 opened this issue 2 years ago · comments

Hi Team,

I need this actions to be used by my project and since it's not allowed by default our enterprise GitHub Team need to review and add it for our project. Our GitHub Team has found alert and mentioned below point.

"The actions requested are available on our github instance but we are seeing dependabot alerts. Since those repo have vulnerabilities, we won’t be able to make it public. Look like it’s patched on the master but they haven’t release it. Please file issue with the actions owner to release patched version. After that, we can make it available for your team to use."

Can you please look into it and help.

Manoj Kumar Sahu · Answer 1 · Thu Nov 03 2022 14:16:11 GMT+0800 (China Standard Time)

Manoj Kumar Sahu commented 2 years ago

David Buzinski · Answer 2 · Fri Nov 04 2022 02:48:02 GMT+0800 (China Standard Time)

Hi @manoj27730 I bumped the npm dependencies for the other MATLAB actions. I am not seeing the same vulnerabilities present in this action. It looks like the attached screenshot is for run-command. Are you able to confirm that your organization is using this action, and if so, can you let us know which dependencies you are seeing in your alerts?

Thanks,
David

Manoj Kumar Sahu · Answer 3 · Mon Nov 07 2022 14:08:33 GMT+0800 (China Standard Time)

Hi David,

Our Enterprise GitHub Team has confirmed it doesn't have any vulnerabilities. Please close this request.

Thanks,
Manoj