@actions/[email protected] triggers SNYK-JS-INFLIGHT-6095116 vulnerability warning

[MikeMcC399]

@actions/[email protected] is triggering a vulnerability warning https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

The dependencies are

└─┬ @actions/[email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

• This depends on issue Memory leak in inflight dependency rhalff/dot-object#83 which would need to update to minimum https://github.com/isaacs/node-glob/releases/tag/v9.0.0 to remove inflight.

$ npm view [email protected] deprecated
Glob versions prior to v9 are no longer supported
$ npm view inflight deprecated
This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.

[MikeMcC399]

The supportability of twirp-ts and its transient dependencies appears to be questionable:

• https://github.com/hopin-team/twirp-ts shows no option to log an issue. The last release was [email protected] in Apr 2022. The Build & Test workflow twirp-ts.yaml is testing against the End-of-Life Node.js versions 14.x and 15.x only.

• dot-object has open issues:

  • Is this lib still maintained ? rhalff/dot-object#86
  • Memory leak in inflight dependency rhalff/dot-object#83
  • Non-working CI workflow (Travis and CircleCI) rhalff/dot-object#88

twirp-ts was introduced by @actions/[email protected] and was not used by @actions/[email protected]. Deprecations have been introduced through @actions/[email protected].

Logs

@actions/[email protected]

$ npm install @actions/cache@3

added 61 packages, and audited 62 packages in 3s

2 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

@actions/[email protected]

$ npm install @actions/cache@4
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported

added 25 packages, changed 1 package, and audited 87 packages in 2s

4 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

[MikeMcC399]

The maintainers of twirp-ts state in hopin-team/twirp-ts#73 (comment)

This package is in maintenance mode and we don't plan to do any new releases.
Our suggestion is that you fork the repo or find another fork that has been actively maintained.

The addition of twirp-ts to @actions/[email protected] is therefore problematic.

I ran their CI workflow twirp-ts.yaml (Build & Test) against Node.js 18 - 23. The workflow passes on Node.js 18 and fails on higher versions 20 - 23. This is also not good.

[MikeMcC399]

• This issue has been acknowledged in @actions/cache Package Deprecation Notice. Upgrade to the latest `4.0.0` or higher before February 1st 2025 #1890

[robherley]

@actions/[email protected] is released and it removes the runtime dependency on twirp-ts. Thanks for reporting!