Skip to content

Update @actions/cache to 5.1.0 and add security overrides for undici and fast-xml-parser#1579

Merged
HarithaVattikuti merged 4 commits into
releases/v6from
cacheupdate
Jul 14, 2026
Merged

Update @actions/cache to 5.1.0 and add security overrides for undici and fast-xml-parser#1579
HarithaVattikuti merged 4 commits into
releases/v6from
cacheupdate

Conversation

@HarithaVattikuti

Copy link
Copy Markdown
Contributor

Changes

  • Update @actions/cache from ^5.0.5 to 5.1.0
  • Add npm overrides to pin transitive dependencies to secure versions:
    • undici: ^6.24.1 (resolves to 6.27.0) — addresses CVEs in undici <6.x
    • fast-xml-parser: ^5.9.2 (resolves to 5.9.3)
  • Update .licenses/npm/ dep.yml files via licensed cache to reflect new resolved versions
  • npm audit reports 0 vulnerabilities

@HarithaVattikuti
HarithaVattikuti requested a review from a team as a code owner July 8, 2026 22:57
bytalrbllqarat-maker referenced this pull request Jul 11, 2026
#1348)

* setup node in local

* Enhance caching in setup-node with package manager filed detection

* updated with array

* update the field

@pelonducks25-crypto pelonducks25-crypto left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@HarithaVattikuti
HarithaVattikuti merged commit 2499707 into releases/v6 Jul 14, 2026
228 checks passed
@HarithaVattikuti
HarithaVattikuti deleted the cacheupdate branch July 14, 2026 02:48
ajgon pushed a commit to deedee-ops/schemas that referenced this pull request Jul 14, 2026
#11)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://github.com/actions/setup-node) | action | major | `v6.4.0` → `v7.0.0` |

---

### Release Notes

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

### [`v7.0.0`](https://github.com/actions/setup-node/releases/tag/v7.0.0)

[Compare Source](actions/setup-node@v6.5.0...v7.0.0)

#### What's Changed

##### Enhancements:

- Add cache-primary-key and cache-matched-key as outputs by [@&#8203;gowridurgad](https://github.com/gowridurgad) in [#&#8203;1577](actions/setup-node#1577)
- Migrate to ESM and upgrade dependencies by [@&#8203;gowridurgad](https://github.com/gowridurgad) in [#&#8203;1574](actions/setup-node#1574)

##### Bug fixes:

- Remove dummy NODE\_AUTH\_TOKEN export by [@&#8203;gowridurgad](https://github.com/gowridurgad) in [#&#8203;1558](actions/setup-node#1558)
- Only use `mirrorToken` in `getManifest` if it's provided by [@&#8203;deiga](https://github.com/deiga) in [#&#8203;1548](actions/setup-node#1548)

##### Documentation updates:

- Add documentation for publishing to npm with Trusted Publisher (OIDC) by [@&#8203;chiranjib-swain](https://github.com/chiranjib-swain) in [#&#8203;1536](actions/setup-node#1536)
- docs: Update restore-only cache documentation by [@&#8203;priya-kinthali](https://github.com/priya-kinthali) in [#&#8203;1550](actions/setup-node#1550)
- docs: Update caching recommendations to mitigate cache poisoning risks by [@&#8203;chiranjib-swain](https://github.com/chiranjib-swain) in [#&#8203;1567](actions/setup-node#1567)

##### Dependency update:

- Upgrade [@&#8203;actions/cache](https://github.com/actions/cache) to 5.1.0, log cache write denied by [@&#8203;jasongin](https://github.com/jasongin) in [#&#8203;1569](actions/setup-node#1569)

#### New Contributors

- [@&#8203;chiranjib-swain](https://github.com/chiranjib-swain) made their first contribution in [#&#8203;1536](actions/setup-node#1536)
- [@&#8203;deiga](https://github.com/deiga) made their first contribution in [#&#8203;1548](actions/setup-node#1548)
- [@&#8203;jasongin](https://github.com/jasongin) made their first contribution in [#&#8203;1569](actions/setup-node#1569)

**Full Changelog**: <actions/setup-node@v6...v7.0.0>

### [`v6.5.0`](https://github.com/actions/setup-node/releases/tag/v6.5.0)

[Compare Source](actions/setup-node@v6.4.0...v6.5.0)

#### What's Changed

- Update [@&#8203;actions/cache](https://github.com/actions/cache) to 5.1.0 and add security overrides for undici and fast-xml-parser by [@&#8203;HarithaVattikuti](https://github.com/HarithaVattikuti) in [#&#8203;1579](actions/setup-node#1579)

**Full Changelog**: <actions/setup-node@v6.4.0...v6.5.0>

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Warsaw)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNjEuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI2MS4yIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

Reviewed-on: https://git.ajgon.casa/deedee/schemas/pulls/11
mergify Bot added a commit to ArcadeData/arcadedb that referenced this pull request Jul 19, 2026
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.4.0 to 7.0.0.
Release notes

*Sourced from [actions/setup-node's releases](https://github.com/actions/setup-node/releases).*

> v7.0.0
> ------
>
> What's Changed
> --------------
>
> ### Enhancements:
>
> * Add cache-primary-key and cache-matched-key as outputs by [`@​gowridurgad`](https://github.com/gowridurgad) in [actions/setup-node#1577](https://redirect.github.com/actions/setup-node/pull/1577)
> * Migrate to ESM and upgrade dependencies by [`@​gowridurgad`](https://github.com/gowridurgad) in [actions/setup-node#1574](https://redirect.github.com/actions/setup-node/pull/1574)
>
> ### Bug fixes:
>
> * Remove dummy NODE\_AUTH\_TOKEN export by [`@​gowridurgad`](https://github.com/gowridurgad) in [actions/setup-node#1558](https://redirect.github.com/actions/setup-node/pull/1558)
> * Only use `mirrorToken` in `getManifest` if it's provided by [`@​deiga`](https://github.com/deiga) in [actions/setup-node#1548](https://redirect.github.com/actions/setup-node/pull/1548)
>
> ### Documentation updates:
>
> * Add documentation for publishing to npm with Trusted Publisher (OIDC) by [`@​chiranjib-swain`](https://github.com/chiranjib-swain) in [actions/setup-node#1536](https://redirect.github.com/actions/setup-node/pull/1536)
> * docs: Update restore-only cache documentation by [`@​priya-kinthali`](https://github.com/priya-kinthali) in [actions/setup-node#1550](https://redirect.github.com/actions/setup-node/pull/1550)
> * docs: Update caching recommendations to mitigate cache poisoning risks by [`@​chiranjib-swain`](https://github.com/chiranjib-swain) in [actions/setup-node#1567](https://redirect.github.com/actions/setup-node/pull/1567)
>
> ### Dependency update:
>
> * Upgrade `@​actions/cache` to 5.1.0, log cache write denied by [`@​jasongin`](https://github.com/jasongin) in [actions/setup-node#1569](https://redirect.github.com/actions/setup-node/pull/1569)
>
> New Contributors
> ----------------
>
> * [`@​chiranjib-swain`](https://github.com/chiranjib-swain) made their first contribution in [actions/setup-node#1536](https://redirect.github.com/actions/setup-node/pull/1536)
> * [`@​deiga`](https://github.com/deiga) made their first contribution in [actions/setup-node#1548](https://redirect.github.com/actions/setup-node/pull/1548)
> * [`@​jasongin`](https://github.com/jasongin) made their first contribution in [actions/setup-node#1569](https://redirect.github.com/actions/setup-node/pull/1569)
>
> **Full Changelog**: <actions/setup-node@v6...v7.0.0>
>
> v6.5.0
> ------
>
> What's Changed
> --------------
>
> * Update `@​actions/cache` to 5.1.0 and add security overrides for undici and fast-xml-parser by [`@​HarithaVattikuti`](https://github.com/HarithaVattikuti) in [actions/setup-node#1579](https://redirect.github.com/actions/setup-node/pull/1579)
>
> **Full Changelog**: <actions/setup-node@v6.4.0...v6.5.0>


Commits

* [`8207627`](actions/setup-node@8207627) Migrate to ESM and upgrade dependencies ([#1574](https://redirect.github.com/actions/setup-node/issues/1574))
* [`04be95c`](actions/setup-node@04be95c) Add cache-primary-key and cache-matched-key as outputs ([#1577](https://redirect.github.com/actions/setup-node/issues/1577))
* [`7c2c68d`](actions/setup-node@7c2c68d) docs: Update caching recommendations to mitigate cache poisoning risks ([#1567](https://redirect.github.com/actions/setup-node/issues/1567))
* [`6a61c03`](actions/setup-node@6a61c03) Merge pull request [#1569](https://redirect.github.com/actions/setup-node/issues/1569) from jasongin/update-actions-cache-5.1.0
* [`30eb73b`](actions/setup-node@30eb73b) Resolve high-severity audit issues
* [`4e1a87a`](actions/setup-node@4e1a87a) Update dist
* [`360237f`](actions/setup-node@360237f) Strict equality
* [`4f8aac5`](actions/setup-node@4f8aac5) Bump `@​actions/cache` to 5.1.0, log cache write denied
* [`f4a67bb`](actions/setup-node@f4a67bb) Only use `mirrorToken` in `getManifest` if it's provided ([#1548](https://redirect.github.com/actions/setup-node/issues/1548))
* [`0355742`](actions/setup-node@0355742) Remove dummy NODE\_AUTH\_TOKEN export ([#1558](https://redirect.github.com/actions/setup-node/issues/1558))
* Additional commits viewable in [compare view](actions/setup-node@48b55a0...8207627)
  
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=actions/setup-node&package-manager=github\_actions&previous-version=6.4.0&new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants