Cycode discovered a command injection vulnerability in the way GitHub Actions updated Google’s open source Bazel project.
How Bazel and GitHub Can Fix the Dependency Availability Problem
Recently, GitHub upgraded the internal version of Git they use to produce repository archives. You’ve probably used these archives before if you’ve downloaded a .zip or .tar.gz file from a repository at a particular version. GitHub produces those archives on demand using Git archive and caches them for a short time. Upgrading Git regularly is […]