build(deps): bump actions/setup-node from 4 to 6#331
Conversation
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v4...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![mendral-app[bot]](https://avatars.githubusercontent.com/in/1975249?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM
The change is safe. The workflow doesn't set a cache input on setup-node, and the v5/v6 breaking changes only affect automatic caching behavior (now limited to npm). Since the workflow installs packages globally via npm install -g mint without a lockfile, no caching would apply regardless. No correctness or security concerns.
Tag @mendral-app with feedback or questions. View session
There was a problem hiding this comment.
Supply Chain Security Review
✅ Approve — 1 finding in 1 file
Dependabot bump of first-party actions/setup-node from v4 to v6. Workflow permissions are minimal and trigger is safe.
Tag @mendral-app with feedback or questions. View session
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@v4 | ||
| uses: actions/setup-node@v6 |
There was a problem hiding this comment.
maintainability (P3), medium confidence: Action is pinned to a mutable major-version tag. Pinning to a full commit SHA prevents tag-rewrite attacks on upstream actions.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/validate-docs.yaml, line 32:
<issue>
Action is pinned to a mutable major-version tag. Pinning to a full commit SHA prevents tag-rewrite attacks on upstream actions.
</issue>
Bumps actions/setup-node from 4 to 6.
Release notes
Sourced from actions/setup-node's releases.
... (truncated)
Commits
48b55a0Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)ab72c7eUpgrade@actionsdependencies (#1525)53b8394Bump minimatch from 3.1.2 to 3.1.5 (#1498)54045abScope test lockfiles by package manager and update cache tests (#1495)c882bffReplace uuid with crypto.randomUUID() (#1378)774c1d6feat(node-version-file): support parsingdevEnginesfield (#1283)efcb663fix: remove hardcoded bearer (#1467)d02c89dFix npm audit issues (#1491)6044e13Docs: bump actions/checkout from v5 to v6 (#1468)8e49463Fix README typo (#1226)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Dependabot bumps
actions/setup-nodefrom v4 to v6 in thevalidate-docs.yamlworkflow.Written by Mendral for commit eb61b1c.