Skip to content

chore(devdeps): update dawidd6/action-download-artifact action to v6 [security]#577

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/github-tags-dawidd6-action-download-artifact-vulnerability
Open

chore(devdeps): update dawidd6/action-download-artifact action to v6 [security]#577
renovate[bot] wants to merge 1 commit intomainfrom
renovate/github-tags-dawidd6-action-download-artifact-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 21, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
dawidd6/action-download-artifact action major v3v6

Artifact poisoning vulnerability in action-download-artifact v5 and earlier

GHSA-5xr6-xhww-33m4

More information

Details

Summary

In versions of dawidd6/action-download-artifact before v6, a repository's forks were also searched by default when attempting to find matching artifacts. This could be exploited by an unprivileged attacker to introduce compromised artifacts (such as malicious executables) into a privileged workflow context, as creating a fork requires no privileges.

Users should immediately upgrade to v6 or newer, which changes the default behavior to avoid searching forks for matching artifacts. Users who cannot upgrade should explicitly set allow_forks: false to disable searching forks for artifacts.

Details

GitHub's artifact storage for workflows does not natively distinguish between artifacts created by a repository and artifacts created by forks of that repository. As a result, attempting to retrieve the "latest" artifact for a workflow run can return artifacts produced by a fork, rather than its upstream.

Because any GitHub user can create a fork of a public repository, this allows for artifact poisoning in the following scenarios (as well as potentially others):

  1. Repository alice/foo runs build.yml, producing build.exe
  2. Repository alice/foo runs publish.yml, which uses action-download-artifact@v5 to retrieve the latest build.exe from build.yml

To compromise publish.yml in this scenario, Mallory forks alice/foo to mallory/foo, and then modifies build.yml to produce a compromised build.exe. Mallory can then repeatedly trigger their copy of build.yml to ensure that their compromised build.exe is always the latest artifact, meaning that Alice's publish.yml will retrieve it.

Additional details on this vulnerability can be found in this blog post from 2022:

Impact

This vulnerability impacts all repositories on GitHub that use action-download-artifacts@v5 or older and do not disable allow_forks: true, which is the default.

If a repository is affected, the severity ranges from downstream contamination (such as publishing attacker-controlled artifacts) to direct workflow compromise (if the retrieved artifact is then executed in a privileged workflow context, such as push or pull_request_target).

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

dawidd6/action-download-artifact (dawidd6/action-download-artifact)

v6

Compare Source

Full Changelog: dawidd6/action-download-artifact@v5...v6

v5

Compare Source

Full Changelog: dawidd6/action-download-artifact@v4...v5

v4

Compare Source

What's Changed

New Contributors

Full Changelog: dawidd6/action-download-artifact@v3...v4

v3.1.4

Compare Source

What's Changed

New Contributors

Full Changelog: dawidd6/action-download-artifact@v3...v3.1.4

v3.1.3

Compare Source

What's Changed

Full Changelog: dawidd6/action-download-artifact@v3.1.2...v3.1.3

v3.1.2

Compare Source

What's Changed

New Contributors

Full Changelog: dawidd6/action-download-artifact@v3.1.1...v3.1.2

v3.1.1

Compare Source

What's Changed

Full Changelog: dawidd6/action-download-artifact@v3...v3.1.1

v3.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: dawidd6/action-download-artifact@v3...v3.1.0

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 21, 2026

⚠️ No Changeset found

Latest commit: d7a06d7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@nx-cloud
Copy link
Copy Markdown
Contributor

nx-cloud Bot commented Apr 21, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit d7a06d7

Command Status Duration Result
nx run-many -t build --no-agents ✅ Succeeded <1s View ↗
nx affected -t build lint test typecheck e2e-ci ✅ Succeeded 6m 44s View ↗

☁️ Nx Cloud last updated this comment at 2026-04-21 20:08:01 UTC

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 21, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 15.67%. Comparing base (5d6747a) to head (d7a06d7).
⚠️ Report is 35 commits behind head on main.

❌ Your project status has failed because the head coverage (15.67%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main     #577       +/-   ##
===========================================
- Coverage   70.90%   15.67%   -55.24%     
===========================================
  Files          53      154      +101     
  Lines        2021    26666    +24645     
  Branches      377     1127      +750     
===========================================
+ Hits         1433     4180     +2747     
- Misses        588    22486    +21898

see 101 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Apr 21, 2026

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/davinci-client@577

@forgerock/device-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/device-client@577

@forgerock/journey-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/journey-client@577

@forgerock/oidc-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/oidc-client@577

@forgerock/protect

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/protect@577

@forgerock/sdk-types

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-types@577

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-utilities@577

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/iframe-manager@577

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-logger@577

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-oidc@577

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-request-middleware@577

@forgerock/storage

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/storage@577

commit: d7a06d7

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 21, 2026

Deployed 7da49bf to https://ForgeRock.github.io/ping-javascript-sdk/pr-577/7da49bf73ea350faadb1a759c29be743172ec837 branch gh-pages in ForgeRock/ping-javascript-sdk

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 21, 2026

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🚨 Significant Changes

🔻 @forgerock/device-client - 0.0 KB (-9.9 KB, -100.0%)
🔻 @forgerock/journey-client - 0.0 KB (-89.9 KB, -100.0%)

📊 Minor Changes

📉 @forgerock/device-client - 9.9 KB (-0.0 KB)

➖ No Changes

@forgerock/davinci-client - 48.0 KB
@forgerock/oidc-client - 25.2 KB
@forgerock/sdk-utilities - 11.2 KB
@forgerock/sdk-types - 7.9 KB
@forgerock/protect - 150.1 KB
@forgerock/journey-client - 89.9 KB
@forgerock/storage - 1.5 KB
@forgerock/sdk-oidc - 4.8 KB
@forgerock/sdk-request-middleware - 4.5 KB
@forgerock/sdk-logger - 1.6 KB
@forgerock/iframe-manager - 2.4 KB

14 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated
  • Current Size: Total gzipped size of all files in the package's dist directory
  • Baseline: Comparison against the latest build from the main branch
  • Files included: All build outputs except source maps and TypeScript build cache
  • Exclusions: .map, .tsbuildinfo, and .d.ts.map files

🔄 Updated automatically on each push to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@codecov-commenter