fix: update flatted to 3.4.2 to fix prototype pollution (GHSA-rf6f-7fwh-wjgh)

* block checking out fork pr for some events

* address copilot and reviewer feedback

* run prettier formatting

* build

* update urls

* update readme

* update description and url again

* edit url one more time

README.md

@@ -162,8 +162,11 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
     github-server-url: ''
 
     # Required to check out fork pull request code from a workflow triggered by
-    # `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link) for
-    # the risks. Set to `true` only after reviewing the risks.
+    # `pull_request_target` or `workflow_run`. These workflows run with the base
+    # repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner
+    # access; fetching and executing a fork's code in that trusted context commonly
+    # leads to "pwn request" vulnerabilities. Set to `true` only after reviewing the
+    # risks at https://gh.io/securely-using-pull_request_target.
     # Default: false
     allow-unsafe-pr-checkout: ''
 ```

action.yml

@@ -101,8 +101,11 @@ inputs:
   allow-unsafe-pr-checkout:
     description: >
       Required to check out fork pull request code from a workflow triggered by
-      `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link)
-      for the risks. Set to `true` only after reviewing the risks.
+      `pull_request_target` or `workflow_run`. These workflows run with the
+      base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
+      runner access; fetching and executing a fork's code in that trusted
+      context commonly leads to "pwn request" vulnerabilities. Set to `true`
+      only after reviewing the risks at https://gh.io/securely-using-pull_request_target.
     default: false
 outputs:
   ref:

dist/index.js

@@ -2822,8 +2822,7 @@ function assertSafePrCheckout(input) {
     // (B) We cannot check for all fork PR refs so check to see
     // if the resolved input points to the fork PR sha we have in the payload
     const repositoryMatchesPrHead = typeof prHeadRepoFullName === 'string' &&
-        input.qualifiedRepository.toLowerCase() ===
-            prHeadRepoFullName.toLowerCase();
+        input.qualifiedRepository.toLowerCase() === prHeadRepoFullName.toLowerCase();
     const refMatchesPullPattern = PR_REF_PATTERN.test(input.ref);
     const commitMatchesPrHeadSha = !!input.commit && prShas.includes(input.commit.toLowerCase());
     if (!repositoryMatchesPrHead &&
@@ -2833,8 +2832,9 @@ function assertSafePrCheckout(input) {
     }
     throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
         `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
-        `cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
-        `"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
+        `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
+        `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
+        `the risks at https://gh.io/securely-using-pull_request_target, set ` +
         `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
 }
 function pushIfSha(target, value) {

package-lock.json

@@ -14,6 +14,7 @@
         "@actions/github": "^6.0.0",
         "@actions/io": "^1.1.3",
         "@actions/tool-cache": "^2.0.1",
+        "flatted": "^3.4.2",
         "uuid": "^9.0.1"
       },
       "devDependencies": {
@@ -3590,10 +3591,10 @@
       }
     },
     "node_modules/flatted": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz",
-      "integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==",
-      "dev": true
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+      "license": "ISC"
     },
     "node_modules/for-each": {
       "version": "0.3.3",

package.json

@@ -33,6 +33,7 @@
     "@actions/github": "^6.0.0",
     "@actions/io": "^1.1.3",
     "@actions/tool-cache": "^2.0.1",
+    "flatted": "^3.4.2",
     "uuid": "^9.0.1"
   },
   "devDependencies": {

src/unsafe-pr-checkout-helper.ts

@@ -74,8 +74,9 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
   throw new Error(
     `Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
       `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
-      `cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
-      `"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
+      `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
+      `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
+      `the risks at https://gh.io/securely-using-pull_request_target, set ` +
       `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
   )
 }