@actions/cache@4.0.0 triggers SNYK-JS-INFLIGHT-6095116 vulnerability warning

[MikeMcC399]

@actions/cache@4.0.0 is triggering a vulnerability warning https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

The dependencies are

└─┬ @actions/cache@4.0.0
  └─┬ twirp-ts@2.5.0
    └─┬ dot-object@2.1.5
      └─┬ glob@7.2.3
        └── inflight@1.0.6

• This depends on issue Memory leak in inflight dependency rhalff/dot-object#83 which would need to update to minimum https://github.com/isaacs/node-glob/releases/tag/v9.0.0 to remove inflight.

$ npm view glob@7.2.3 deprecated
Glob versions prior to v9 are no longer supported
$ npm view inflight deprecated
This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.

[MikeMcC399]

The supportability of twirp-ts and its transient dependencies appears to be questionable:

• https://github.com/hopin-team/twirp-ts shows no option to log an issue. The last release was twirp-ts@2.5.0 in Apr 2022. The Build & Test workflow twirp-ts.yaml is testing against the End-of-Life Node.js versions 14.x and 15.x only.

• dot-object has open issues:

  • Is this lib still maintained ? rhalff/dot-object#86
  • Memory leak in inflight dependency rhalff/dot-object#83
  • Non-working CI workflow (Travis and CircleCI) rhalff/dot-object#88

twirp-ts was introduced by @actions/cache@4.0.0 and was not used by @actions/cache@3.2.0. Deprecations have been introduced through @actions/cache@4.0.0.

Logs

@actions/cache@3.3.0

$ npm install @actions/cache@3

added 61 packages, and audited 62 packages in 3s

2 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

@actions/cache@4.0.0

$ npm install @actions/cache@4
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported

added 25 packages, changed 1 package, and audited 87 packages in 2s

4 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

[MikeMcC399]

The maintainers of twirp-ts state in hopin-team/twirp-ts#73 (comment)

This package is in maintenance mode and we don't plan to do any new releases.
Our suggestion is that you fork the repo or find another fork that has been actively maintained.

The addition of twirp-ts to @actions/cache@4.0.0 is therefore problematic.

I ran their CI workflow twirp-ts.yaml (Build & Test) against Node.js 18 - 23. The workflow passes on Node.js 18 and fails on higher versions 20 - 23. This is also not good.

[MikeMcC399]

• This issue has been acknowledged in @actions/cache Package Deprecation Notice. Upgrade to the latest `4.0.0` or higher before February 1st 2025 #1890

[robherley]

@actions/cache@4.0.1 is released and it removes the runtime dependency on twirp-ts. Thanks for reporting!