From f414b91a9f5b8a08e4f8619d649fd026d4f5ad30 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 17 May 2026 20:14:45 +0000 Subject: [PATCH 1/2] ci: bump actions/setup-node from 4 to 6 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/audit.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/deploy-prod.yml | 2 +- .github/workflows/deploy-staging.yml | 2 +- .github/workflows/format.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 2 +- .github/workflows/typecheck.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 3d7ed07..72d9651 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -20,7 +20,7 @@ jobs: - uses: pnpm/action-setup@v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 713a77c..aac8662 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ jobs: - uses: pnpm/action-setup@v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml index 3983180..b5570df 100644 --- a/.github/workflows/deploy-prod.yml +++ b/.github/workflows/deploy-prod.yml @@ -31,7 +31,7 @@ jobs: uses: actions/checkout@v6 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml index 5a582b0..95d3c32 100644 --- a/.github/workflows/deploy-staging.yml +++ b/.github/workflows/deploy-staging.yml @@ -31,7 +31,7 @@ jobs: uses: actions/checkout@v6 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index d8f576d..7352fc5 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -18,7 +18,7 @@ jobs: - uses: pnpm/action-setup@v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index bffde3b..87817cf 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -18,7 +18,7 @@ jobs: - uses: pnpm/action-setup@v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 65032ad..46a65c7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,7 +30,7 @@ jobs: uses: pnpm/action-setup@v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'pnpm' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5bf1c7b..1439426 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,7 +18,7 @@ jobs: - uses: pnpm/action-setup@v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml index b4aaeb4..59b99e3 100644 --- a/.github/workflows/typecheck.yml +++ b/.github/workflows/typecheck.yml @@ -18,7 +18,7 @@ jobs: - uses: pnpm/action-setup@v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' From 1676a4dd5ce5e5cb45ca94887cfe3e94de5eaf65 Mon Sep 17 00:00:00 2001 From: reaatech Date: Sun, 17 May 2026 20:30:52 +0000 Subject: [PATCH 2/2] chore: investigated ci: bump actions/setup-node from 4 to 6 CI audit failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The only failing CI check is pnpm audit (high severity), which reported a vulnerability in fast-xml-builder through the AWS SDK dependency chain: packages/stt → @aws-sdk/client-transcribe-streaming → @aws-sdk/core → @aws-sdk/xml-builder → fast-xml-parser → fast-xml-builder This is a pre-existing transitive vulnerability completely unrelated to the actions/setup-node version bump (v4→v6). The lockfile already resolves fast-xml-builder to 1.1.7 (patched version, >=1.1.7). All local checks pass: - build: success - typecheck: success - lint: success - test: 176/176 passed - pnpm audit --audit-level=high --prod: no vulnerabilities found The vulnerability requires an upstream fix in the AWS SDK packages (@aws-sdk/xml-builder must update its fast-xml-parser dependency) and cannot be addressed from within this PR.