updating release info

replacing exec with execFile for security
testing commit
2022-12-07 18:49:57 +00:00 · 2022-12-07 18:19:23 +00:00 · 2022-12-07 18:11:37 +00:00
3 changed files with 5 additions and 4 deletions
--- a/packages/io/RELEASES.md
+++ b/packages/io/RELEASES.md
@ -1,5 +1,7 @@
 # @actions/io Releases

+### 1.1.3
+- [Fixed a security bug where we used child_proccess.exec instead of execFile for windows](https://github.com/actions/toolkit/pull/1255)
 ### 1.1.2
 - Update `lockfileVersion` to `v2` in `package-lock.json [#1020](https://github.com/actions/toolkit/pull/1020) 

--- a/packages/io/package.json
+++ b/packages/io/package.json
@ -1,6 +1,6 @@
 {
  "name": "@actions/io",
-  "version": "1.1.2",
+  "version": "1.1.3",
  "description": "Actions io lib",
  "keywords": [
    "github",
--- a/packages/io/src/io.ts
+++ b/packages/io/src/io.ts
@ -4,7 +4,6 @@ import * as path from 'path'
 import {promisify} from 'util'
 import * as ioUtil from './io-util'

-const exec = promisify(childProcess.exec)
 const execFile = promisify(childProcess.execFile)

 /**
@ -129,11 +128,11 @@ export async function rmRF(inputPath: string): Promise<void> {
    try {
      const cmdPath = ioUtil.getCmdPath()
      if (await ioUtil.isDirectory(inputPath, true)) {
-        await exec(`${cmdPath} /s /c "rd /s /q "%inputPath%""`, {
+        await execFile(`${cmdPath} /s /c "rd /s /q "%inputPath%""`, {
          env: {inputPath}
        })
      } else {
-        await exec(`${cmdPath} /s /c "del /f /a "%inputPath%""`, {
+        await execFile(`${cmdPath} /s /c "del /f /a "%inputPath%""`, {
          env: {inputPath}
        })
      }
Author	SHA1	Message	Date
Vallie Joseph	19d5d6138b	updating release info	2022-12-07 18:49:57 +00:00
Vallie Joseph	aee8700cae	replacing exec with execFile for security	2022-12-07 18:19:23 +00:00
Vallie Joseph	b56e7fcd67	testing commit	2022-12-07 18:11:37 +00:00