Bump @actions/http-client from 3.0.2 to 4.0.1

Bumps [@actions/http-client](https://github.com/actions/toolkit/tree/HEAD/packages/http-client) from 3.0.2 to 4.0.1. - [Changelog](https://github.com/actions/toolkit/blob/main/packages/http-client/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/http-client) --- updated-dependencies: - dependency-name: "@actions/http-client" dependency-version: 4.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
fix: reject non-semver candidate versions in isVersionSatisfies (#1009 )
2026-06-22 07:49:42 +00:00 · 2026-06-22 03:42:29 +00:00 · 2026-06-17 22:47:02 -05:00 · 2026-06-17 07:58:23 -07:00 · 2026-06-17 07:52:02 -07:00
7 changed files with 66 additions and 6 deletions
@@ -10,5 +10,9 @@ on:

 jobs:
  call-codeQL-analysis:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
    name: CodeQL analysis
    uses: actions/reusable-workflows/.github/workflows/codeql-analysis.yml@main
@@ -29,7 +29,11 @@ describe('isVersionSatisfies', () => {
    ['2.5.1+3', '2.5.1+3', true],
    ['2.5.1+3', '2.5.1+2', false],
    ['15.0.0+14', '15.0.0+14.1.202003190635', false],
-    ['15.0.0+14.1.202003190635', '15.0.0+14.1.202003190635', true]
+    ['15.0.0+14.1.202003190635', '15.0.0+14.1.202003190635', true],
+    // 4-segment versions (e.g. JetBrains Runtime '17.0.8.1+1080.1') are not
+    // valid semver — they should be rejected, not throw.
+    ['25.0.3+480.61', '17.0.8.1+1080.1', false],
+    ['17', '17.0.8.1+1080.1', false]
  ])(
    '%s, %s -> %s',
    (inputRange: string, inputVersion: string, expected: boolean) => {
@@ -52208,6 +52208,13 @@ function getDownloadArchiveExtension() {
 exports.getDownloadArchiveExtension = getDownloadArchiveExtension;
 function isVersionSatisfies(range, version) {
    var _a;
+    // Some distributions (e.g. JetBrains Runtime) publish 4-segment versions
+    // like '17.0.8.1+1080.1' that semver rejects. If the candidate version
+    // isn't valid semver, it can't match — bail out rather than letting
+    // compareBuild / satisfies throw.
+    if (!semver.valid(version)) {
+        return false;
+    }
    if (semver.valid(range)) {
        // if full version with build digit is provided as a range (such as '1.2.3+4')
        // we should check for exact equal via compareBuild
@@ -81039,6 +81039,13 @@ function getDownloadArchiveExtension() {
 exports.getDownloadArchiveExtension = getDownloadArchiveExtension;
 function isVersionSatisfies(range, version) {
    var _a;
+    // Some distributions (e.g. JetBrains Runtime) publish 4-segment versions
+    // like '17.0.8.1+1080.1' that semver rejects. If the candidate version
+    // isn't valid semver, it can't match — bail out rather than letting
+    // compareBuild / satisfies throw.
+    if (!semver.valid(version)) {
+        return false;
+    }
    if (semver.valid(range)) {
        // if full version with build digit is provided as a range (such as '1.2.3+4')
        // we should check for exact equal via compareBuild
@@ -13,7 +13,7 @@
        "@actions/core": "^2.0.3",
        "@actions/exec": "^2.0.0",
        "@actions/glob": "^0.5.1",
-        "@actions/http-client": "^3.0.2",
+        "@actions/http-client": "^4.0.1",
        "@actions/io": "^2.0.0",
        "@actions/tool-cache": "^3.0.1",
        "semver": "^7.6.0",
@@ -67,6 +67,16 @@
        "semver": "^6.3.1"
      }
    },
+    "node_modules/@actions/cache/node_modules/@actions/http-client": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-3.0.2.tgz",
+      "integrity": "sha512-JP38FYYpyqvUsz+Igqlc/JG6YO9PaKuvqjM3iGvaLqFnJ7TFmcLyy2IDrY0bI0qCQug8E9K+elv5ZNfw62ZJzA==",
+      "license": "MIT",
+      "dependencies": {
+        "tunnel": "^0.0.6",
+        "undici": "^6.23.0"
+      }
+    },
    "node_modules/@actions/cache/node_modules/semver": {
      "version": "6.3.1",
      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
@@ -85,6 +95,16 @@
        "@actions/http-client": "^3.0.2"
      }
    },
+    "node_modules/@actions/core/node_modules/@actions/http-client": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-3.0.2.tgz",
+      "integrity": "sha512-JP38FYYpyqvUsz+Igqlc/JG6YO9PaKuvqjM3iGvaLqFnJ7TFmcLyy2IDrY0bI0qCQug8E9K+elv5ZNfw62ZJzA==",
+      "license": "MIT",
+      "dependencies": {
+        "tunnel": "^0.0.6",
+        "undici": "^6.23.0"
+      }
+    },
    "node_modules/@actions/exec": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-2.0.0.tgz",
@@ -105,9 +125,9 @@
      }
    },
    "node_modules/@actions/http-client": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-3.0.2.tgz",
-      "integrity": "sha512-JP38FYYpyqvUsz+Igqlc/JG6YO9PaKuvqjM3iGvaLqFnJ7TFmcLyy2IDrY0bI0qCQug8E9K+elv5ZNfw62ZJzA==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-4.0.1.tgz",
+      "integrity": "sha512-+Nvd1ImaOZBSoPbsUtEhv+1z99H12xzncCkz0a3RuehINE81FZSe2QTj3uvAPTcJX/SCzUQHQ0D1GrPMbrPitg==",
      "license": "MIT",
      "dependencies": {
        "tunnel": "^0.0.6",
@@ -133,6 +153,16 @@
        "semver": "^6.1.0"
      }
    },
+    "node_modules/@actions/tool-cache/node_modules/@actions/http-client": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-3.0.2.tgz",
+      "integrity": "sha512-JP38FYYpyqvUsz+Igqlc/JG6YO9PaKuvqjM3iGvaLqFnJ7TFmcLyy2IDrY0bI0qCQug8E9K+elv5ZNfw62ZJzA==",
+      "license": "MIT",
+      "dependencies": {
+        "tunnel": "^0.0.6",
+        "undici": "^6.23.0"
+      }
+    },
    "node_modules/@actions/tool-cache/node_modules/semver": {
      "version": "6.3.1",
      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
@@ -33,7 +33,7 @@
    "@actions/core": "^2.0.3",
    "@actions/exec": "^2.0.0",
    "@actions/glob": "^0.5.1",
-    "@actions/http-client": "^3.0.2",
+    "@actions/http-client": "^4.0.1",
    "@actions/io": "^2.0.0",
    "@actions/tool-cache": "^3.0.1",
    "semver": "^7.6.0",
@@ -55,6 +55,14 @@ export function getDownloadArchiveExtension() {
 }

 export function isVersionSatisfies(range: string, version: string): boolean {
+  // Some distributions (e.g. JetBrains Runtime) publish 4-segment versions
+  // like '17.0.8.1+1080.1' that semver rejects. If the candidate version
+  // isn't valid semver, it can't match — bail out rather than letting
+  // compareBuild / satisfies throw.
+  if (!semver.valid(version)) {
+    return false;
+  }
+
  if (semver.valid(range)) {
    // if full version with build digit is provided as a range (such as '1.2.3+4')
    // we should check for exact equal via compareBuild
Author	SHA1	Message	Date
dependabot[bot]	08426192c9	Bump @actions/http-client from 3.0.2 to 4.0.1 Bumps [@actions/http-client](https://github.com/actions/toolkit/tree/HEAD/packages/http-client) from 3.0.2 to 4.0.1. - [Changelog](https://github.com/actions/toolkit/blob/main/packages/http-client/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/http-client) --- updated-dependencies: - dependency-name: "@actions/http-client" dependency-version: 4.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-22 03:42:29 +00:00
Sean Proctor	baa1691374	fix: reject non-semver candidate versions in isVersionSatisfies (#1009 ) Distributions like JetBrains Runtime publish 4-segment versions such as '17.0.8.1+1080.1' that the semver package rejects. Both compareBuild and satisfies throw on these, which surfaced to users as "Error: Invalid Version: 17.0.8.1+1080.1" and aborted the whole install when any available version was non-semver. Guard with an early semver.valid check so unparseable versions are treated as a non-match. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-17 22:47:02 -05:00
George Adams	bc52a13212	fix CodeQL permissions (#1025 )	2026-06-17 07:58:23 -07:00
Josh Soref	c9b6aee07e	Fix codeql workflow permissions (#993 ) Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2026-06-17 07:52:02 -07:00