From c23cc6e61cdbdca7e37fb97e2b6af7417329f59e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 14 Mar 2026 04:40:06 +0000 Subject: [PATCH 1/8] chore(deps): bump undici from 6.23.0 to 6.24.0 in /packages/glob Bumps [undici](https://github.com/nodejs/undici) from 6.23.0 to 6.24.0. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](https://github.com/nodejs/undici/compare/v6.23.0...v6.24.0) --- updated-dependencies: - dependency-name: undici dependency-version: 6.24.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- packages/glob/package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/glob/package-lock.json b/packages/glob/package-lock.json index 35920049b2..8bbdcf2310 100644 --- a/packages/glob/package-lock.json +++ b/packages/glob/package-lock.json @@ -92,9 +92,9 @@ } }, "node_modules/undici": { - "version": "6.23.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz", - "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==", + "version": "6.24.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-6.24.0.tgz", + "integrity": "sha512-lVLNosgqo5EkGqh5XUDhGfsMSoO8K0BAN0TyJLvwNRSl4xWGZlCVYsAIpa/OpA3TvmnM01GWcoKmc3ZWo5wKKA==", "license": "MIT", "engines": { "node": ">=18.17" From bbaffb4bb32bf23a147df4e7b31bcbde3cfbc96e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 14 Mar 2026 04:56:28 +0000 Subject: [PATCH 2/8] chore(deps): bump undici from 6.23.0 to 6.24.0 in /packages/github Bumps [undici](https://github.com/nodejs/undici) from 6.23.0 to 6.24.0. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](https://github.com/nodejs/undici/compare/v6.23.0...v6.24.0) --- updated-dependencies: - dependency-name: undici dependency-version: 6.24.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- packages/github/package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/github/package-lock.json b/packages/github/package-lock.json index 04cb033871..fc00bd11d1 100644 --- a/packages/github/package-lock.json +++ b/packages/github/package-lock.json @@ -363,9 +363,9 @@ } }, "node_modules/undici": { - "version": "6.23.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz", - "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==", + "version": "6.24.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-6.24.0.tgz", + "integrity": "sha512-lVLNosgqo5EkGqh5XUDhGfsMSoO8K0BAN0TyJLvwNRSl4xWGZlCVYsAIpa/OpA3TvmnM01GWcoKmc3ZWo5wKKA==", "license": "MIT", "engines": { "node": ">=18.17" From 7c6cc28ed5354bc173809a030902d928c10d738d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 14 Mar 2026 09:09:41 +0000 Subject: [PATCH 3/8] chore(deps): bump undici from 6.23.0 to 6.24.1 in /packages/core Bumps [undici](https://github.com/nodejs/undici) from 6.23.0 to 6.24.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](https://github.com/nodejs/undici/compare/v6.23.0...v6.24.1) --- updated-dependencies: - dependency-name: undici dependency-version: 6.24.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- packages/core/package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/core/package-lock.json b/packages/core/package-lock.json index b9033bbed9..e8cbe9f840 100644 --- a/packages/core/package-lock.json +++ b/packages/core/package-lock.json @@ -61,9 +61,9 @@ } }, "node_modules/undici": { - "version": "6.23.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz", - "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==", + "version": "6.24.1", + "resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz", + "integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==", "license": "MIT", "engines": { "node": ">=18.17" From 6bd5e50ee163dee51ec4f90578f410373407bf86 Mon Sep 17 00:00:00 2001 From: ICHINOSE Shogo Date: Fri, 20 Mar 2026 18:00:34 +0900 Subject: [PATCH 4/8] @actions/glob: bump minimatch from v3.0.4 to v10.2.4 --- packages/glob/package-lock.json | 46 ++++++++++++++------------- packages/glob/package.json | 2 +- packages/glob/src/internal-pattern.ts | 10 ++---- 3 files changed, 28 insertions(+), 30 deletions(-) diff --git a/packages/glob/package-lock.json b/packages/glob/package-lock.json index 35920049b2..50cbc17cab 100644 --- a/packages/glob/package-lock.json +++ b/packages/glob/package-lock.json @@ -10,7 +10,7 @@ "license": "MIT", "dependencies": { "@actions/core": "^3.0.0", - "minimatch": "^3.0.4" + "minimatch": "^10.2.4" } }, "node_modules/@actions/core": { @@ -49,37 +49,39 @@ "license": "MIT" }, "node_modules/balanced-match": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", - "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", - "license": "MIT" + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz", + "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==", + "license": "MIT", + "engines": { + "node": "18 || 20 || >=22" + } }, "node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "5.0.4", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz", + "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==", "license": "MIT", "dependencies": { - "balanced-match": "^1.0.0", - "concat-map": "0.0.1" + "balanced-match": "^4.0.2" + }, + "engines": { + "node": "18 || 20 || >=22" } }, - "node_modules/concat-map": { - "version": "0.0.1", - "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", - "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==", - "license": "MIT" - }, "node_modules/minimatch": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", - "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", - "license": "ISC", + "version": "10.2.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz", + "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==", + "license": "BlueOak-1.0.0", "dependencies": { - "brace-expansion": "^1.1.7" + "brace-expansion": "^5.0.2" }, "engines": { - "node": "*" + "node": "18 || 20 || >=22" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" } }, "node_modules/tunnel": { diff --git a/packages/glob/package.json b/packages/glob/package.json index 81b58f8f46..b40834b7a6 100644 --- a/packages/glob/package.json +++ b/packages/glob/package.json @@ -45,6 +45,6 @@ }, "dependencies": { "@actions/core": "^3.0.0", - "minimatch": "^3.0.4" + "minimatch": "^10.2.4" } } diff --git a/packages/glob/src/internal-pattern.ts b/packages/glob/src/internal-pattern.ts index 61ee380473..f6fb740b4d 100644 --- a/packages/glob/src/internal-pattern.ts +++ b/packages/glob/src/internal-pattern.ts @@ -2,14 +2,10 @@ import * as os from 'os' import * as path from 'path' import * as pathHelper from './internal-path-helper.js' import assert from 'assert' -import minimatch from 'minimatch' +import {Minimatch, type MinimatchOptions} from 'minimatch' import {MatchKind} from './internal-match-kind.js' import {Path} from './internal-path.js' -type IMinimatch = minimatch.IMinimatch -type IMinimatchOptions = minimatch.IOptions -const {Minimatch} = minimatch - const IS_WINDOWS = process.platform === 'win32' export class Pattern { @@ -38,7 +34,7 @@ export class Pattern { /** * The Minimatch object used for matching */ - private readonly minimatch: IMinimatch + private readonly minimatch: Minimatch /** * Used to workaround a limitation with Minimatch when determining a partial @@ -126,7 +122,7 @@ export class Pattern { this.isImplicitPattern = isImplicitPattern // Create minimatch - const minimatchOptions: IMinimatchOptions = { + const minimatchOptions: MinimatchOptions = { dot: true, nobrace: true, nocase: IS_WINDOWS, From 20647b6bcf44b035c7433e65e0a497a9d196a7db Mon Sep 17 00:00:00 2001 From: ICHINOSE Shogo Date: Fri, 20 Mar 2026 19:24:19 +0900 Subject: [PATCH 5/8] @actions/core: update regression test with minimatch v3 --- packages/glob/__tests__/internal-pattern.test.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/glob/__tests__/internal-pattern.test.ts b/packages/glob/__tests__/internal-pattern.test.ts index 3690ecb3b3..1c52543a68 100644 --- a/packages/glob/__tests__/internal-pattern.test.ts +++ b/packages/glob/__tests__/internal-pattern.test.ts @@ -303,7 +303,7 @@ describe('pattern', () => { expect(pattern.match(`${root}foo/bar/baz`)).toBeFalsy() pattern = new Pattern(`${root}foo/b[!]r/b*`) expect(pattern.searchPath).toBe(`${root}foo${path.sep}b!r`) - expect(pattern.match(`${root}foo/b!r/baz`)).toBeTruthy() + expect(pattern.match(`${root}foo/b!r/baz`)).toBeFalsy() pattern = new Pattern(`${root}foo/b[[]ar/b*`) expect(pattern.searchPath).toBe(`${root}foo${path.sep}b[ar`) expect(pattern.match(`${root}foo/b[ar/baz`)).toBeTruthy() @@ -340,9 +340,11 @@ describe('pattern', () => { pattern = new Pattern('C:/foo/b\\[a]r/b*') expect(pattern.searchPath).toBe(`C:\\foo\\b\\ar`) expect(pattern.match('C:/foo/b/ar/baz')).toBeTruthy() + + // Regression testing for minimatch v3 pattern = new Pattern('C:/foo/b[\\!]r/b*') expect(pattern.searchPath).toBe('C:\\foo\\b[\\!]r') - expect(pattern.match('C:/foo/b[undefined/!]r/baz')).toBeTruthy() // Note, "undefined" substr to accommodate a bug in Minimatch when nocase=true + expect(pattern.match('C:/foo/b[undefined/!]r/baz')).toBeFalsy() } }) }) From 74fcfdbd100a97c07b0c2015707b2bb0b56d0fef Mon Sep 17 00:00:00 2001 From: ICHINOSE Shogo Date: Fri, 20 Mar 2026 19:56:02 +0900 Subject: [PATCH 6/8] @actions/glob: add some comments for the regression testing Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- packages/glob/__tests__/internal-pattern.test.ts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/packages/glob/__tests__/internal-pattern.test.ts b/packages/glob/__tests__/internal-pattern.test.ts index 1c52543a68..2f101d9fba 100644 --- a/packages/glob/__tests__/internal-pattern.test.ts +++ b/packages/glob/__tests__/internal-pattern.test.ts @@ -342,6 +342,13 @@ describe('pattern', () => { expect(pattern.match('C:/foo/b/ar/baz')).toBeTruthy() // Regression testing for minimatch v3 + // Historically, minimatch/glob had a bug when parsing a character class + // containing an escaped '!' (e.g. `[\\!]`). In some cases, the internal + // pattern construction would incorrectly insert the literal string + // "undefined" into the generated pattern/segment, which could make a + // pattern intended to match `b[\\!]r` also match a path segment like + // `b[undefined/!]r`. This test ensures that a pattern with a literal + // `[\\!]` in the directory name does *not* match such malformed paths. pattern = new Pattern('C:/foo/b[\\!]r/b*') expect(pattern.searchPath).toBe('C:\\foo\\b[\\!]r') expect(pattern.match('C:/foo/b[undefined/!]r/baz')).toBeFalsy() From 23cbecacadbe6ef8d9066f9d241d8736301352fd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 21 Mar 2026 10:32:03 +0000 Subject: [PATCH 7/8] chore(deps-dev): bump flatted from 3.3.3 to 3.4.2 Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.3 to 3.4.2. - [Commits](https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 76e8212e41..5fc0175287 100644 --- a/package-lock.json +++ b/package-lock.json @@ -7215,9 +7215,9 @@ } }, "node_modules/flatted": { - "version": "3.3.3", - "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz", - "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==", + "version": "3.4.2", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz", + "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==", "dev": true, "license": "ISC" }, From 0607d7a54bc6b6da17f93071c3f3401143d16c05 Mon Sep 17 00:00:00 2001 From: Aiqiao Yan <55104035+aiqiaoy@users.noreply.github.com> Date: Tue, 21 Apr 2026 17:14:57 +0000 Subject: [PATCH 8/8] release new versions for a few packages --- packages/core/RELEASES.md | 4 ++++ packages/core/package-lock.json | 4 ++-- packages/core/package.json | 2 +- packages/github/RELEASES.md | 4 ++++ packages/github/package-lock.json | 4 ++-- packages/github/package.json | 2 +- packages/glob/RELEASES.md | 6 ++++++ packages/glob/package-lock.json | 4 ++-- packages/glob/package.json | 2 +- packages/http-client/RELEASES.md | 4 ++++ packages/http-client/package-lock.json | 4 ++-- packages/http-client/package.json | 2 +- 12 files changed, 30 insertions(+), 12 deletions(-) diff --git a/packages/core/RELEASES.md b/packages/core/RELEASES.md index 34b5a9e985..68564c4b81 100644 --- a/packages/core/RELEASES.md +++ b/packages/core/RELEASES.md @@ -1,5 +1,9 @@ # @actions/core Releases +## 3.0.1 + +- Bump `undici` from `6.23.0` to `6.24.1` [#2348](https://github.com/actions/toolkit/pull/2348) + ## 3.0.0 - **Breaking change**: Package is now ESM-only diff --git a/packages/core/package-lock.json b/packages/core/package-lock.json index e8cbe9f840..1a493b051a 100644 --- a/packages/core/package-lock.json +++ b/packages/core/package-lock.json @@ -1,12 +1,12 @@ { "name": "@actions/core", - "version": "3.0.0", + "version": "3.0.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@actions/core", - "version": "3.0.0", + "version": "3.0.1", "license": "MIT", "dependencies": { "@actions/exec": "^3.0.0", diff --git a/packages/core/package.json b/packages/core/package.json index 3088d9d752..01f93cd7fa 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -1,6 +1,6 @@ { "name": "@actions/core", - "version": "3.0.0", + "version": "3.0.1", "description": "Actions core lib", "keywords": [ "github", diff --git a/packages/github/RELEASES.md b/packages/github/RELEASES.md index e9d69fbb1d..a566f9e932 100644 --- a/packages/github/RELEASES.md +++ b/packages/github/RELEASES.md @@ -1,5 +1,9 @@ # @actions/github Releases +### 9.1.1 + +- Bump `undici` from `6.23.0` to `6.24.0` [#2346](https://github.com/actions/toolkit/pull/2346) + ### 9.1.0 - Append `actions_orchestration_id` to user-agent when the `ACTIONS_ORCHESTRATION_ID` environment variable is set [#2364](https://github.com/actions/toolkit/pull/2364) diff --git a/packages/github/package-lock.json b/packages/github/package-lock.json index 11646354c2..bee3536d81 100644 --- a/packages/github/package-lock.json +++ b/packages/github/package-lock.json @@ -1,12 +1,12 @@ { "name": "@actions/github", - "version": "9.1.0", + "version": "9.1.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@actions/github", - "version": "9.1.0", + "version": "9.1.1", "license": "MIT", "dependencies": { "@actions/http-client": "^3.0.2", diff --git a/packages/github/package.json b/packages/github/package.json index c3d6fa18d7..7395c98133 100644 --- a/packages/github/package.json +++ b/packages/github/package.json @@ -1,6 +1,6 @@ { "name": "@actions/github", - "version": "9.1.0", + "version": "9.1.1", "description": "Actions github lib", "keywords": [ "github", diff --git a/packages/glob/RELEASES.md b/packages/glob/RELEASES.md index 6810426ba6..fa5880c089 100644 --- a/packages/glob/RELEASES.md +++ b/packages/glob/RELEASES.md @@ -1,5 +1,11 @@ # @actions/glob Releases +## 0.7.0 + +- Bump `minimatch` from `^3.0.4` to `^10.2.5` [#2355](https://github.com/actions/toolkit/pull/2355) +- Bump `undici` from `6.23.0` to `6.24.0` [#2345](https://github.com/actions/toolkit/pull/2345) +- Bump `brace-expansion` in `/packages/glob` [#2369](https://github.com/actions/toolkit/pull/2369) + ## 0.6.1 - Fix a bad import for `minimatch` diff --git a/packages/glob/package-lock.json b/packages/glob/package-lock.json index 51b0f805d1..ed68ffbc19 100644 --- a/packages/glob/package-lock.json +++ b/packages/glob/package-lock.json @@ -1,12 +1,12 @@ { "name": "@actions/glob", - "version": "0.6.1", + "version": "0.7.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@actions/glob", - "version": "0.6.1", + "version": "0.7.0", "license": "MIT", "dependencies": { "@actions/core": "^3.0.0", diff --git a/packages/glob/package.json b/packages/glob/package.json index b0104c4b59..7e2f940189 100644 --- a/packages/glob/package.json +++ b/packages/glob/package.json @@ -1,6 +1,6 @@ { "name": "@actions/glob", - "version": "0.6.1", + "version": "0.7.0", "preview": true, "description": "Actions glob lib", "keywords": [ diff --git a/packages/http-client/RELEASES.md b/packages/http-client/RELEASES.md index f783fc768b..93b4b49a74 100644 --- a/packages/http-client/RELEASES.md +++ b/packages/http-client/RELEASES.md @@ -1,5 +1,9 @@ # Releases +## 4.0.1 + +- Bump `undici` from `6.23.0` to `6.24.0` [#2347](https://github.com/actions/toolkit/pull/2347) + ## 4.0.0 - **Breaking change**: Package is now ESM-only diff --git a/packages/http-client/package-lock.json b/packages/http-client/package-lock.json index 41352196d2..52574b6c24 100644 --- a/packages/http-client/package-lock.json +++ b/packages/http-client/package-lock.json @@ -1,12 +1,12 @@ { "name": "@actions/http-client", - "version": "4.0.0", + "version": "4.0.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@actions/http-client", - "version": "4.0.0", + "version": "4.0.1", "license": "MIT", "dependencies": { "tunnel": "^0.0.6", diff --git a/packages/http-client/package.json b/packages/http-client/package.json index 79a3c5975b..e6e89452f7 100644 --- a/packages/http-client/package.json +++ b/packages/http-client/package.json @@ -1,6 +1,6 @@ { "name": "@actions/http-client", - "version": "4.0.0", + "version": "4.0.1", "description": "Actions Http Client", "keywords": [ "github",