fix: update flatted to 3.4.2 to fix prototype pollution (GHSA-rf6f-7fwh-wjgh)

Initial plan
2026-06-16 13:06:47 -07:00 · 2026-06-16 16:23:29 +00:00 · 2026-06-16 16:18:54 +00:00
4 changed files with 12 additions and 10 deletions
@@ -2833,9 +2833,9 @@ function assertSafePrCheckout(input) {
    throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
        `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
        `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
-        `context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` +
-        `at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` +
-        `on the actions/checkout step.`);
+        `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
+        `the risks at https://gh.io/securely-using-pull_request_target, set ` +
+        `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
 }
 function pushIfSha(target, value) {
    if (typeof value === 'string' && value.length > 0) {
@@ -14,6 +14,7 @@
        "@actions/github": "^6.0.0",
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.1",
+        "flatted": "^3.4.2",
        "uuid": "^9.0.1"
      },
      "devDependencies": {
@@ -3590,10 +3591,10 @@
      }
    },
    "node_modules/flatted": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz",
-      "integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==",
-      "dev": true
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+      "license": "ISC"
    },
    "node_modules/for-each": {
      "version": "0.3.3",
@@ -33,6 +33,7 @@
    "@actions/github": "^6.0.0",
    "@actions/io": "^1.1.3",
    "@actions/tool-cache": "^2.0.1",
+    "flatted": "^3.4.2",
    "uuid": "^9.0.1"
  },
  "devDependencies": {
@@ -75,9 +75,9 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
    `Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
      `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
      `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
-      `context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` +
-      `at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` +
-      `on the actions/checkout step.`
+      `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
+      `the risks at https://gh.io/securely-using-pull_request_target, set ` +
+      `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
  )
 }
Author	SHA1	Message	Date
copilot-swe-agent[bot]	4afa37ac8d	fix: update flatted to 3.4.2 to fix prototype pollution (GHSA-rf6f-7fwh-wjgh)	2026-06-16 16:23:29 +00:00
copilot-swe-agent[bot]	aa3faa9f29	Initial plan	2026-06-16 16:18:54 +00:00