eslint-formatter-github - allows manipulating the GitHub action check and view metadata

[waigel]

You use the library (eslint-formatter-github) in several repositories, which has a hard-coded private key to the authorized GitHub app in the source code. This is a possible security vulnerability. The certificate gives every user read/write permissions to your GitHub actions check. In addition, metadata from non-public repositories can also be viewed.

Attached is a list of all the repositories that you have granted access:

sumup-oss/.github
sumup-oss/assets
sumup-oss/basic-project
sumup-oss/circuit-ui
sumup-oss/collector
sumup-oss/design-tokens
sumup-oss/foundry
sumup-oss/go-pkgs
sumup-oss/gocat
sumup-oss/icons
sumup-oss/intl-js
sumup-oss/janos
sumup-oss/ot
sumup-oss/performance-observer
sumup-oss/signal
sumup-oss/simeon
sumup-oss/terraform-provider-vaulted
sumup-oss/terraform-provider-vaulted-tfe
sumup-oss/vaulted
sumup-oss/website

sumup/circuit-ui-form
sumup/documentation
sumup/invoices-email-template
sumup/invoices-onboarding-api
sumup/user-tracking
sumup/ze-dashboard

Source: https://github.com/hipstersmoothie/eslint-formatter-github/blob/master/src/create-check.ts#L20

[github-actions]

🎉 This issue has been resolved in version 5.2.0-canary.1 🎉

The release is available on:

• npm package (@canary dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[connor-baer]

The vulnerable dependencies have been removed in https://github.com/sumup-oss/foundry/releases/tag/v6.0.0. Thank you, @waigel!