Update dependency @actions/core to v1.9.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@actions/core (source)	1.2.6 → 1.9.1

GitHub Vulnerability Alerts

CVE-2022-35954

Impact

The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author.

Patches

Users should upgrade to @actions/core v1.9.1.

Workarounds

If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

References

More information about setting-an-environment-variable in workflows

If you have any questions or comments about this advisory:

• Open an issue in actions/toolkit

---

Release Notes

actions/toolkit (@​actions/core)

v1.9.1

• Randomize delimiter when calling core.exportVariable

v1.9.0

• Added toPosixPath, toWin32Path and toPlatformPath utilities #​1102

v1.8.2

• Update to v2.0.1 of @actions/http-client #​1087

v1.8.1

• Update to v2.0.0 of @actions/http-client

v1.8.0

• Deprecate markdownSummary extension export in favor of summary
  • #​1072
  • #​1073

v1.7.0

• Added markdownSummary extension

v1.6.0

• Added OIDC Client function getIDToken
• Added file parameter to AnnotationProperties

v1.5.0

• Added support for notice annotations and more annotation fields

v1.4.0

• Added the getMultilineInput function

v1.3.0

• Added the trimWhitespace option to getInput
• Added the getBooleanInput function

v1.2.7

• Prepend newline for set-output

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.