chore(deps): bump actions/github-script from 8.0.0 to 9.0.0#325
Open
dependabot[bot] wants to merge 1 commit into
Open
chore(deps): bump actions/github-script from 8.0.0 to 9.0.0#325dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Claude / Claude Code Review
completed
Apr 13, 2026 in 8m 2s
Code review found 1 important issue
Found 3 candidates, confirmed 2. See review comments for details.
Details
| Severity | Count |
|---|---|
| 🔴 Important | 1 |
| 🟡 Nit | 0 |
| 🟣 Pre-existing | 1 |
| Severity | File:Line | Issue |
|---|---|---|
| 🔴 Important | .github/workflows/deploy-docs.yml:70 |
deploy-docs.yml uses mutable version tag instead of SHA pin |
| 🟣 Pre-existing | .github/workflows/bundle-analysis.yml:118-124 |
Script injection via backtick template literal in bundle-analysis.yml |
Annotations
Check failure on line 70 in .github/workflows/deploy-docs.yml
claude / Claude Code Review
deploy-docs.yml uses mutable version tag instead of SHA pin
deploy-docs.yml pins actions/github-script to the mutable tag @v9.0.0 instead of the full commit SHA used in every other workflow updated by this PR. A mutable tag can be force-pushed by the upstream maintainer to point to arbitrary code, creating a supply chain attack vector. Fix by replacing @v9.0.0 with @3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0.
Check notice on line 124 in .github/workflows/bundle-analysis.yml
claude / Claude Code Review
Script injection via backtick template literal in bundle-analysis.yml
A pre-existing script injection vulnerability exists in bundle-analysis.yml: the bundleBreakdown variable is constructed using a backtick template literal with a direct GitHub Actions expression (const bundleBreakdown = backtick-dollar-brace steps.compare.outputs.bundle_breakdown end-brace-backtick), so GitHub Actions interpolates the raw value into JS source before parsing — a malicious PR could craft dist/ filenames with backticks (SyntaxError) or dollar-brace sequences (arbitrary JS execution
Loading