The release is aimed at patching a security vulnerability in one of the dependencies listed in
requirements.txt which is the manifest for the used Python dependencies used and usable by the action.
The vulnerability allowed for consumption of a any file on the filesystem accessible to the code using the component, since the component could include/inline other components from the file system.
Example lifted from NIST
Perhaps the use of the vulnerability would be limited in GitHub context, but there is no reason to leave the vulnerability open, so the action has been updated.
As outlined in the post on release 0.31.0 I am behind on patching or lifting users of versions which are end of life to more contemporary versions.
With this release I have indicated that an update is recommended (as I recommend in my post on writing change logs), but I am not sure I have the bandwidth to create PRs for all using repositories leading up to release 0.32.0 and I will stick to releases from 0.24.0 and below, since these are EOL.
Even though I am not so into the idea of using the canonical version of
v0 etc. it could also be an approach and I will mention this in my PRs.
Luckily today in a national holiday in Denmark, so I could sit down a do this in a nice and quite manner, security issues are always a bit stressfull.
@dependabot raised an alert for the used dependency: pymdown-extensions. The vulnerability is labelled as CVE-2023-32309. The issue has been present in pymdown-extensions since version 1.5.0 and is patched in version 10.0.
Snyk has provided a patch via PR #158, which has been tested and no regressions has been observed, even with a version leap for pymdown-extensions. from version 8.2 to 10.0. The GitHub Action has been updated to use the patched version, even though there are no direct use of the vulnerable code in the action, but we do not want to be the source of a vulnerability.