Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-15228 - Contains usage of now deprecated add-path #26

Closed
xTVaser opened this issue Oct 5, 2020 · 1 comment
Closed

CVE-2020-15228 - Contains usage of now deprecated add-path #26

xTVaser opened this issue Oct 5, 2020 · 1 comment
Assignees
@timheuer
Labels
dependencies Pull requests that update a dependency file

Comments

@xTVaser
Copy link

xTVaser commented Oct 5, 2020

Related CVE - GHSA-mfwh-5m23-j46w

Output from Github Actions:

Run microsoft/[email protected]
  with:
    vs-version: 16.7
C:\ProgramData\Chocolatey\bin\vswhere.exe -products * -requires Microsoft.Component.MSBuild -property installationPath -latest -version 16.7
C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise
Warning: The `add-path` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands

Usage appears to be here

setup-msbuild/dist/index.js

Line 1200 in f25dd68

command_1.issueCommand('add-path', {}, inputPath);

@xTVaser xTVaser mentioned this issue Oct 5, 2020
Merged
@timheuer timheuer self-assigned this Oct 6, 2020
@timheuer timheuer added the dependencies Pull requests that update a dependency file label Oct 6, 2020
@DoctorMcKay DoctorMcKay mentioned this issue Oct 6, 2020
Closed
@timheuer timheuer mentioned this issue Oct 6, 2020
Merged
@timheuer timheuer closed this as completed Oct 6, 2020
@timheuer timheuer mentioned this issue Oct 6, 2020
Closed
@timheuer
Copy link
Member

timheuer commented Oct 6, 2020

Released as v.1.0.2 and v1 ref tag updated

jgiannuzzi added a commit to jgiannuzzi/ParquetSharp that referenced this issue Oct 8, 2020
@jgiannuzzi
Fix add-path warning in CI
c336a00 
A newer version of the microsoft/setup-msbuild action has been released that is not vulnerable to [CVE-2020-15228](GHSA-mfwh-5m23-j46w): microsoft/setup-msbuild#26

This PR changes the version pinning to v1 instead of v1.0.0, so that the latest v1 will be used.
@jgiannuzzi jgiannuzzi mentioned this issue Oct 8, 2020
Merged
GPSnoopy pushed a commit to G-Research/ParquetSharp that referenced this issue Oct 8, 2020
@jgiannuzzi
Fix add-path warning in CI (#155)
6acc6f4 
A newer version of the microsoft/setup-msbuild action has been released that is not vulnerable to [CVE-2020-15228](GHSA-mfwh-5m23-j46w): microsoft/setup-msbuild#26

This PR changes the version pinning to v1 instead of v1.0.0, so that the latest v1 will be used.
@timheuer timheuer mentioned this issue Nov 17, 2020
Closed
@dbaileychess dbaileychess mentioned this issue Nov 19, 2020
Merged
@ghost ghost mentioned this issue Nov 21, 2020
Merged
@timheuer timheuer mentioned this issue Nov 26, 2020
Closed
@timheuer timheuer mentioned this issue Jan 8, 2021
Closed
afit added a commit to afit/wlan10 that referenced this issue Feb 5, 2021
@afit
See: microsoft/setup-msbuild#26
78d6159
osmanovv added a commit to osmanovv/auxmic that referenced this issue Mar 20, 2021
@osmanovv
fix deprecated add-path comand
a6bebbc 
More info:
* microsoft/setup-msbuild#26
* https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
@timheuer timheuer mentioned this issue May 27, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timheuer timheuer

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@timheuer @xTVaser