chore(devdeps): update dawidd6/action-download-artifact action to v6 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
dawidd6/action-download-artifact	action	major	v3 → v6

---

Artifact poisoning vulnerability in action-download-artifact v5 and earlier

GHSA-5xr6-xhww-33m4

More information

Details

Summary

In versions of dawidd6/action-download-artifact before v6, a repository's forks were also searched by default when attempting to find matching artifacts. This could be exploited by an unprivileged attacker to introduce compromised artifacts (such as malicious executables) into a privileged workflow context, as creating a fork requires no privileges.

Users should immediately upgrade to v6 or newer, which changes the default behavior to avoid searching forks for matching artifacts. Users who cannot upgrade should explicitly set allow_forks: false to disable searching forks for artifacts.

Details

GitHub's artifact storage for workflows does not natively distinguish between artifacts created by a repository and artifacts created by forks of that repository. As a result, attempting to retrieve the "latest" artifact for a workflow run can return artifacts produced by a fork, rather than its upstream.

Because any GitHub user can create a fork of a public repository, this allows for artifact poisoning in the following scenarios (as well as potentially others):

1. Repository alice/foo runs build.yml, producing build.exe
2. Repository alice/foo runs publish.yml, which uses action-download-artifact@v5 to retrieve the latest build.exe from build.yml

To compromise publish.yml in this scenario, Mallory forks alice/foo to mallory/foo, and then modifies build.yml to produce a compromised build.exe. Mallory can then repeatedly trigger their copy of build.yml to ensure that their compromised build.exe is always the latest artifact, meaning that Alice's publish.yml will retrieve it.

Additional details on this vulnerability can be found in this blog post from 2022:

• https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust

Impact

This vulnerability impacts all repositories on GitHub that use action-download-artifacts@v5 or older and do not disable allow_forks: true, which is the default.

If a repository is affected, the severity ranges from downstream contamination (such as publishing attacker-controlled artifacts) to direct workflow compromise (if the retrieved artifact is then executed in a privileged workflow context, such as push or pull_request_target).

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/dawidd6/action-download-artifact/security/advisories/GHSA-5xr6-xhww-33m4
• https://github.com/dawidd6/action-download-artifact/commit/bf251b5aa9c2f7eeb574a96ee720e24f801b7c11
• https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust
• https://github.com/advisories/GHSA-5xr6-xhww-33m4

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

dawidd6/action-download-artifact (dawidd6/action-download-artifact)

v6

Compare Source

Full Changelog: dawidd6/action-download-artifact@v5...v6

v5

Compare Source

Full Changelog: dawidd6/action-download-artifact@v4...v5

v4

Compare Source

What's Changed

• VERSIONING CHANGE: now there will only be major releases of this action, e.g. v5, v6 and so on
• build(deps): bump undici from 5.28.3 to 5.28.4 by @​dependabot in #​284
• build(deps): bump @​actions/artifact from 2.1.4 to 2.1.5 by @​dependabot in #​285
• build(deps): bump @​actions/artifact from 2.1.5 to 2.1.7 by @​dependabot in #​287
• build(deps): bump adm-zip from 0.5.12 to 0.5.13 by @​dependabot in #​289
• Set allow_forks to false by default by @​timweri in #​290

New Contributors

• @​timweri made their first contribution in #​290

Full Changelog: dawidd6/action-download-artifact@v3...v4

v3.1.4

Compare Source

What's Changed

• build(deps): bump adm-zip from 0.5.10 to 0.5.12 by @​dependabot in #​282
• build(deps): bump @​actions/artifact from 2.1.2 to 2.1.4 by @​dependabot in #​280
• fix: accept expired artifacts with documentation url by @​wdconinc in #​283

New Contributors

• @​wdconinc made their first contribution in #​283

Full Changelog: dawidd6/action-download-artifact@v3...v3.1.4

v3.1.3

Compare Source

What's Changed

• node_modules: upgrade by @​dawidd6 in #​276
• build(deps): bump @​actions/artifact from 2.1.1 to 2.1.2 by @​dependabot in #​277

Full Changelog: dawidd6/action-download-artifact@v3.1.2...v3.1.3

v3.1.2

Compare Source

What's Changed

• Read workflow_search input as a boolean by @​klutchell in #​273

New Contributors

• @​klutchell made their first contribution in #​273

Full Changelog: dawidd6/action-download-artifact@v3.1.1...v3.1.2

v3.1.1

Compare Source

What's Changed

• Head sha revert by @​romangg in #​271
• build(deps): bump undici from 5.28.2 to 5.28.3 by @​dependabot in #​272

Full Changelog: dawidd6/action-download-artifact@v3...v3.1.1

v3.1.0

Compare Source

What's Changed

• build(deps): bump @​actions/artifact from 2.0.0 to 2.0.1 by @​dependabot in #​267
• build(deps): bump actions/upload-artifact from 3 to 4 by @​dependabot in #​264
• build(deps): bump @​actions/artifact from 2.0.1 to 2.1.1 by @​dependabot in #​269
• Optionally search for workflows by @​romangg in #​270

New Contributors

• @​romangg made their first contribution in #​270

Full Changelog: dawidd6/action-download-artifact@v3...v3.1.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: a4a31c0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 39f84de

Command	Status	Duration	Result
nx run-many -t build --no-agents	✅ Succeeded	<1s	View ↗
nx affected -t build lint test typecheck e2e-ci	✅ Succeeded	1m 9s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-04-27 19:06:47 UTC

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 15.67%. Comparing base (5d6747a) to head (a4a31c0).
⚠️ Report is 37 commits behind head on main.

❌ Your project status has failed because the head coverage (15.67%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #577       +/-   ##
===========================================
- Coverage   70.90%   15.67%   -55.23%     
===========================================
  Files          53      154      +101     
  Lines        2021    26664    +24643     
  Branches      377     1127      +750     
===========================================
+ Hits         1433     4180     +2747     
- Misses        588    22484    +21896     

see 101 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[pkg-pr-new]

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/davinci-client@577

@forgerock/device-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/device-client@577

@forgerock/journey-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/journey-client@577

@forgerock/oidc-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/oidc-client@577

@forgerock/protect

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/protect@577

@forgerock/sdk-types

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-types@577

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-utilities@577

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/iframe-manager@577

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-logger@577

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-oidc@577

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-request-middleware@577

@forgerock/storage

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/storage@577

commit: a4a31c0

[github-actions]

Deployed 8f2551e to https://ForgeRock.github.io/ping-javascript-sdk/pr-577/8f2551ee326d3a9faa56cb83501b6b17937eb7e7 branch gh-pages in ForgeRock/ping-javascript-sdk

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🆕 New Packages

🆕 @forgerock/device-client - 0.0 KB (new)
🆕 @forgerock/device-client - 9.9 KB (new)
🆕 @forgerock/davinci-client - 48.0 KB (new)
🆕 @forgerock/oidc-client - 25.2 KB (new)
🆕 @forgerock/sdk-utilities - 11.2 KB (new)
🆕 @forgerock/sdk-types - 7.9 KB (new)
🆕 @forgerock/protect - 150.1 KB (new)
🆕 @forgerock/journey-client - 0.0 KB (new)
🆕 @forgerock/journey-client - 89.9 KB (new)
🆕 @forgerock/storage - 1.5 KB (new)
🆕 @forgerock/sdk-oidc - 4.8 KB (new)
🆕 @forgerock/sdk-request-middleware - 4.5 KB (new)
🆕 @forgerock/sdk-logger - 1.6 KB (new)
🆕 @forgerock/iframe-manager - 2.4 KB (new)

---

14 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}