Dependabot alerts should support conventional major version tags with GitHub Actions #54553

bigdaz · 2023-05-05T14:34:38Z

bigdaz
May 5, 2023

Select Topic Area

Bug

Body

It is conventional (and indeed recommended) to use a major version tag to track the latest version of a GitHub Action release.

For example, actions/cache@v3 and actions/cache@v3.3.1 are currently identical (point to the same commit). With each new release in the v3.x stream, the v3 version tag is updated.

We recently published a security advisory for gradle/gradle-build-action, with v2.4.2 being the patched version. Any using this action with the major version tag (gradle/gradle-build-action@v2) is automatically using this patched version and is no longer vulnerable.

Unfortunately, all repositories referencing the major version tag received a Dependabot alert for this vulnerability, and the only options to resolve this are:

Change to use the v2.4.2 version, losing the ability to track the latest release of the action.
"Dismiss" the alert, which makes it looks like the issue is being ignored and hasn't really been fixed.

Interestingly, Dependabot does detect that no upgrade is required, but fails to dismiss the alert as "fixed".

Answered by jonjanego

Feb 13, 2024

Update - we have resolved this! :)

View full answer

jonjanego · 2024-02-13T20:42:05Z

jonjanego
Feb 13, 2024

Update - we have resolved this! :)

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Dependabot alerts should support conventional major version tags with GitHub Actions #54553

{{title}}

Replies: 1 comment

{{title}}

Select a reply

GitHub Community

Dependabot alerts should support conventional major version tags with GitHub Actions #54553

bigdaz May 5, 2023

Select Topic Area

Body

Replies: 1 comment

jonjanego Feb 13, 2024

bigdaz
May 5, 2023

jonjanego
Feb 13, 2024