Merge d722552897 into 668228422a

Merge pull request #1738 from actions/prepare-v5.0.4
Update dependencies & patch security vulnerabilities
2026-05-13 21:38:06 +00:00 · 2026-03-31 14:28:09 +00:00 · 2026-03-18 16:03:49 +01:00 · 2026-03-18 07:03:52 -07:00 · 2026-03-18 06:34:30 -07:00 · 2026-03-18 06:29:24 -07:00
13 changed files with 1110 additions and 484 deletions
--- a/.licenses/npm/fast-xml-builder.dep.yml
+++ b/.licenses/npm/fast-xml-builder.dep.yml
--- a/.licenses/npm/fast-xml-parser.dep.yml
+++ b/.licenses/npm/fast-xml-parser.dep.yml
--- a/.licenses/npm/minimatch.dep.yml
+++ b/.licenses/npm/minimatch.dep.yml
--- a/.licenses/npm/path-expression-matcher.dep.yml
+++ b/.licenses/npm/path-expression-matcher.dep.yml
--- a/.licenses/npm/undici.dep.yml
+++ b/.licenses/npm/undici.dep.yml
--- a/RELEASES.md
+++ b/RELEASES.md
@ -25,6 +25,12 @@

 ## Changelog

+### 5.0.4
+
+- Bump `minimatch` to v3.1.5 (fixes ReDoS via globstar patterns)
+- Bump `undici` to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
+- Bump `fast-xml-parser` to v5.5.6
+
 ### 5.0.3

 - Bump `@actions/cache` to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
--- a/caching-strategies.md
+++ b/caching-strategies.md
@ -165,6 +165,10 @@ steps:
    run: /publish.sh
 ```

+> [!IMPORTANT]
+> 
+> The `path` must match on both the centralized job and the target job, otherwise there will be no cache-hit whatsoever. Also take notes of the [restrictions for accessing caches across workflows](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache).  
+
 ### Failing/Exiting the workflow if cache with exact key is not found

 You can use the output of this action to exit the workflow on cache miss. This way you can restrict your workflow to only initiate the build when `cache-hit` occurs, in other words, cache with exact key is found.
--- a/dist/restore-only/index.js
+++ b/dist/restore-only/index.js
--- a/dist/restore/index.js
+++ b/dist/restore/index.js
--- a/dist/save-only/index.js
+++ b/dist/save-only/index.js
--- a/dist/save/index.js
+++ b/dist/save/index.js
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
  "name": "cache",
-  "version": "5.0.2",
+  "version": "5.0.4",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "cache",
-      "version": "5.0.2",
+      "version": "5.0.4",
      "license": "MIT",
      "dependencies": {
        "@actions/cache": "^5.0.5",
@ -1875,13 +1875,13 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+      "version": "9.0.9",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
+      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
      "dev": true,
      "license": "ISC",
      "dependencies": {
-        "brace-expansion": "^2.0.1"
+        "brace-expansion": "^2.0.2"
      },
      "engines": {
        "node": ">=16 || 14 >=14.17"
@ -2008,9 +2008,9 @@
      }
    },
    "node_modules/ajv": {
-      "version": "6.12.6",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
-      "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
+      "version": "6.14.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz",
+      "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@ -3741,10 +3741,10 @@
      "dev": true,
      "license": "MIT"
    },
-    "node_modules/fast-xml-parser": {
-      "version": "5.3.3",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.3.3.tgz",
-      "integrity": "sha512-2O3dkPAAC6JavuMm8+4+pgTk+5hoAs+CjZ+sWcQLkX9+/tHRuTkQh/Oaifr8qDmZ8iEHb771Ea6G8CdwkrgvYA==",
+    "node_modules/fast-xml-builder": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
+      "integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==",
      "funding": [
        {
          "type": "github",
@ -3753,7 +3753,24 @@
      ],
      "license": "MIT",
      "dependencies": {
-        "strnum": "^2.1.0"
+        "path-expression-matcher": "^1.1.3"
+      }
+    },
+    "node_modules/fast-xml-parser": {
+      "version": "5.5.6",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.6.tgz",
+      "integrity": "sha512-3+fdZyBRVg29n4rXP0joHthhcHdPUHaIC16cuyyd1iLsuaO6Vea36MPrxgAzbZna8lhvZeRL8Bc9GP56/J9xEw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/NaturalIntelligence"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "fast-xml-builder": "^1.1.4",
+        "path-expression-matcher": "^1.1.3",
+        "strnum": "^2.1.2"
      },
      "bin": {
        "fxparser": "src/cli/cli.js"
@ -3838,9 +3855,9 @@
      }
    },
    "node_modules/flatted": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz",
-      "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
      "dev": true,
      "license": "ISC"
    },
@ -5805,9 +5822,9 @@
      }
    },
    "node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^1.1.7"
@ -6141,6 +6158,21 @@
        "node": ">=8"
      }
    },
+    "node_modules/path-expression-matcher": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.1.3.tgz",
+      "integrity": "sha512-qdVgY8KXmVdJZRSS1JdEPOKPdTiEK/pi0RkcT2sw1RhXxohdujUlJFPuS1TSkevZ9vzd3ZlL7ULl1MHGTApKzQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/NaturalIntelligence"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
    "node_modules/path-is-absolute": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
@ -7462,9 +7494,9 @@
      }
    },
    "node_modules/undici": {
-      "version": "6.23.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
-      "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
+      "version": "6.24.1",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz",
+      "integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==",
      "license": "MIT",
      "engines": {
        "node": ">=18.17"
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "cache",
-  "version": "5.0.3",
+  "version": "5.0.4",
  "private": true,
  "description": "Cache dependencies and build outputs",
  "main": "dist/restore/index.js",
Author	SHA1	Message	Date
Matthias Benkort	da84ab8aa4	Merge `d722552897` into `668228422a`	2026-03-31 14:28:09 +00:00
Bassem Dghaidi	668228422a	Merge pull request #1738 from actions/prepare-v5.0.4 Some checks failed Check dist content / Check dist/ (push) Has been cancelled Details Code scanning / CodeQL-Build (push) Has been cancelled Details License check / Check licenses (push) Has been cancelled Details Tests / build (macOS-latest) (push) Has been cancelled Details Tests / build (ubuntu-latest) (push) Has been cancelled Details Tests / build (windows-latest) (push) Has been cancelled Details Tests / test-save (macOS-latest) (push) Has been cancelled Details Tests / test-save (ubuntu-latest) (push) Has been cancelled Details Tests / test-save (windows-latest) (push) Has been cancelled Details Tests / test-proxy-save (push) Has been cancelled Details Tests / test-restore (macOS-latest) (push) Has been cancelled Details Tests / test-restore (ubuntu-latest) (push) Has been cancelled Details Tests / test-restore (windows-latest) (push) Has been cancelled Details Tests / test-proxy-restore (push) Has been cancelled Details Update dependencies & patch security vulnerabilities	2026-03-18 16:03:49 +01:00
Bassem Dghaidi	e34039626f	Update RELEASES	2026-03-18 07:03:52 -07:00
Bassem Dghaidi	8a67110529	Add licenses	2026-03-18 06:34:30 -07:00
Bassem Dghaidi	1865903e1b	Update dependencies & patch security vulnerabilities	2026-03-18 06:29:24 -07:00
Matthias Benkort	d722552897	Document `path` behaviour and access restrictions Thanks to this comment which saved me some headache: https://github.com/actions/cache/issues/1491#issuecomment-2450718907 related to #1561. related to #1491. related to #1426.	2025-03-07 11:04:57 +01:00