Skip to content

pytorch_geometric is using a compromised tj-actions/changed-files GitHub action #10119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
eslerm opened this issue Mar 15, 2025 · 2 comments
Closed

pytorch_geometric is using a compromised tj-actions/changed-files GitHub action #10119

eslerm opened this issue Mar 15, 2025 · 2 comments
Labels
bug

Comments

@eslerm
Copy link

eslerm commented Mar 15, 2025
edited
Loading

pytorch_geometric uses a compromised version of tj-actions/changed-files. The compromised action appears to leak secrets the runner has in memory.

The action is included in:

Output of an affected runs:

Please review.

Learn about the compromise on StepSecurity of Semgrep.
@eslerm eslerm added the bug label Mar 15, 2025
@xnuohz
Copy link
Contributor

xnuohz commented Mar 27, 2025

will be fixed in #10097. does it meet your requirement?

@akihironitta
Copy link
Member

If you are using tagged versions (e.g., v35, v44.5.1), no action is required as these tags have been updated and are now safe to use.

GHSA-mw4p-6x4p-x5m5

@akihironitta akihironitta closed this as not planned Won't fix, can't repro, duplicate, stale Mar 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eslerm @xnuohz @akihironitta