Skip to content

chore(deps): bump actions/github-script from 8.0.0 to 9.0.0#325

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/github-script-9.0.0
Open

chore(deps): bump actions/github-script from 8.0.0 to 9.0.0#325
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/github-script-9.0.0

chore(deps): bump actions/github-script from 8.0.0 to 9.0.0

a138ed0
Select commit
Loading
Failed to load commit list.
Claude / Claude Code Review completed Apr 13, 2026 in 8m 2s

Code review found 1 important issue

Found 3 candidates, confirmed 2. See review comments for details.

Details

Severity Count
🔴 Important 1
🟡 Nit 0
🟣 Pre-existing 1
Severity File:Line Issue
🔴 Important .github/workflows/deploy-docs.yml:70 deploy-docs.yml uses mutable version tag instead of SHA pin
🟣 Pre-existing .github/workflows/bundle-analysis.yml:118-124 Script injection via backtick template literal in bundle-analysis.yml

Annotations

Check failure on line 70 in .github/workflows/deploy-docs.yml

See this annotation in the file changed.

@claude claude / Claude Code Review

deploy-docs.yml uses mutable version tag instead of SHA pin

deploy-docs.yml pins actions/github-script to the mutable tag @v9.0.0 instead of the full commit SHA used in every other workflow updated by this PR. A mutable tag can be force-pushed by the upstream maintainer to point to arbitrary code, creating a supply chain attack vector. Fix by replacing @v9.0.0 with @3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0.

Check notice on line 124 in .github/workflows/bundle-analysis.yml

See this annotation in the file changed.

@claude claude / Claude Code Review

Script injection via backtick template literal in bundle-analysis.yml

A pre-existing script injection vulnerability exists in bundle-analysis.yml: the bundleBreakdown variable is constructed using a backtick template literal with a direct GitHub Actions expression (const bundleBreakdown = backtick-dollar-brace steps.compare.outputs.bundle_breakdown end-brace-backtick), so GitHub Actions interpolates the raw value into JS source before parsing — a malicious PR could craft dist/ filenames with backticks (SyntaxError) or dollar-brace sequences (arbitrary JS execution