fix(deps): update dependency @actions/artifact to v2.1.7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@actions/artifact (source)	2.1.1 -> 2.1.7

GitHub Vulnerability Alerts

CVE-2024-42471

Impact

Versions of actions/artifact before 2.1.7 are vulnerable to arbitrary file write when using downloadArtifactInternal, downloadArtifactPublic, or streamExtractExternal for extracting a specifically crafted artifact that contains path traversal filenames.

Patches

Upgrade to version 2.1.7 or higher.

References

• https://snyk.io/research/zip-slip-vulnerability
• https://github.com/actions/toolkit/pull/1724

CVE

CVE-2024-42471

Credits

Justin Taft from Google

---

Release Notes

actions/toolkit (@​actions/artifact)

v2.1.7

• Update unzip-stream dependency and reverted to using unzip.Extract()

v2.1.6

• Will retry on invalid request responses.

v2.1.5

• Bumped archiver dependency to 7.0.1

v2.1.4

• Adds info-level logging for zip extraction

v2.1.3

• Fixes a bug in the extract logic updated in 2.1.2

v2.1.2

• Updated the stream extract functionality to use unzip.Parse() instead of unzip.Extract() for greater control of unzipping artifacts

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.