[Snyk] Security upgrade @actions/cache from 1.0.8 to 4.0.0#91
[Snyk] Security upgrade @actions/cache from 1.0.8 to 4.0.0#91revan-zhang wants to merge 2 commits intomainfrom
Conversation
…rabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-15789759
⛔ Snyk checks have failed. 5 issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| }, | ||
| "dependencies": { | ||
| "@actions/cache": "^1.0.8", | ||
| "@actions/cache": "^4.0.0", |
There was a problem hiding this comment.
🔴 Build output not regenerated after @actions/cache v1→v4 upgrade, making the change a no-op at runtime
The build/ directory contains ncc-bundled code that GitHub Actions actually executes (per action.yml:19 → main: build/setup/index.js). The PR updates @actions/cache from ^1.0.8 to ^4.0.0 in package.json and yarn.lock, but does not regenerate the build output. The bundled build/setup/index.js still contains the old v1 cache library code — confirmed by the absence of any v4-specific symbols (getCacheServiceVersion, cacheTwirpClient, ACTIONS_RESULTS_URL) in the build output, while v1-only patterns remain. This means the dependency upgrade has zero effect at runtime and the commit message's stated goal ("reduce vulnerabilities") is not achieved. The CONTRIBUTING.md explicitly requires: "Run yarn build to ensure the build is up-to-date and runs correctly and without errors or warnings."
Prompt for agents
The build/ directory is bundled via ncc (see expo-server/ncc.js) and is what GitHub Actions actually runs at runtime (action.yml main: build/setup/index.js). After changing the @actions/cache dependency version in package.json, you must regenerate the build output by running `yarn build` (or `node ncc.js`) from the expo-server directory. Without this step, the bundled code in build/setup/index.js, build/command/index.js, and build/preview-comment/index.js still contains the old @actions/cache v1 code, making the entire dependency upgrade ineffective at runtime. Run the build and commit the updated build/ output.
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
expo-server/package.jsonexpo-server/yarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-BRACEEXPANSION-15789759
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Medium Risk
Upgrades a core GitHub Actions dependency (
@actions/cache) across major versions, which could introduce behavior/API differences in caching and its transitive Azure/HTTP stack.Overview
Updates
expo-serverto use@actions/cache^4.0.0(from^1.0.8) to address a reported vulnerability.Regenerates
yarn.lockaccordingly, pulling in newer transitive dependencies (notably updated@actions/*HTTP/core packages and newer Azure storage/cache-related libraries).Written by Cursor Bugbot for commit d963624. This will update automatically on new commits. Configure here.