Skip to content

Commit 5821db4

Browse files
markusgrotzmarkusgrotz
authored
Update download-artifact plugin in publish-to-test-pypi.yml to fix vulnerability
Versions of actions/download-artifact before 4.1.7 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames. Fore more details see: GHSA-6q32-hq47-5qq3
1 parent afb69f3 commit 5821db4

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

source/guides/github-actions-ci-cd-sample/publish-to-test-pypi.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
- name: Build a binary wheel and a source tarball
2323
run: python3 -m build
2424
- name: Store the distribution packages
25-
uses: actions/upload-artifact@v3
25+
uses: actions/upload-artifact@v4
2626
with:
2727
name: python-package-distributions
2828
path: dist/
@@ -42,7 +42,7 @@ jobs:
4242

4343
steps:
4444
- name: Download all the dists
45-
uses: actions/download-artifact@v3
45+
uses: actions/download-artifact@v4
4646
with:
4747
name: python-package-distributions
4848
path: dist/
@@ -63,7 +63,7 @@ jobs:
6363

6464
steps:
6565
- name: Download all the dists
66-
uses: actions/download-artifact@v3
66+
uses: actions/download-artifact@v4
6767
with:
6868
name: python-package-distributions
6969
path: dist/
@@ -107,7 +107,7 @@ jobs:
107107

108108
steps:
109109
- name: Download all the dists
110-
uses: actions/download-artifact@v3
110+
uses: actions/download-artifact@v4
111111
with:
112112
name: python-package-distributions
113113
path: dist/

0 commit comments

Comments
 (0)