From 4eb7dbcb9561cb76a85079ffa9d89b983166e00c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Jun 2024 12:13:45 -0500 Subject: [PATCH 1/3] Bump braces from 3.0.2 to 3.0.3 (#893) * Bump braces from 3.0.2 to 3.0.3 Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3. - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3) --- updated-dependencies: - dependency-name: braces dependency-type: indirect ... Signed-off-by: dependabot[bot] * Bump undici from 5.28.3 to 5.28.4 --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: HarithaVattikuti <73516759+HarithaVattikuti@users.noreply.github.com> --- .licenses/npm/undici.dep.yml | 2 +- dist/cache-save/index.js | 297 ++++++++++++++++++++++++++++++----- dist/setup/index.js | 297 ++++++++++++++++++++++++++++++----- package-lock.json | 20 +-- 4 files changed, 523 insertions(+), 93 deletions(-) diff --git a/.licenses/npm/undici.dep.yml b/.licenses/npm/undici.dep.yml index 58844ed3d..cc74a6d2d 100644 --- a/.licenses/npm/undici.dep.yml +++ b/.licenses/npm/undici.dep.yml @@ -1,6 +1,6 @@ --- name: undici -version: 5.28.3 +version: 5.28.4 type: npm summary: An HTTP/1.1 client, written from scratch for Node.js homepage: https://undici.nodejs.org diff --git a/dist/cache-save/index.js b/dist/cache-save/index.js index 400938d6a..aa4501f96 100644 --- a/dist/cache-save/index.js +++ b/dist/cache-save/index.js @@ -57964,6 +57964,132 @@ function onConnectTimeout (socket) { module.exports = buildConnector +/***/ }), + +/***/ 4462: +/***/ ((module) => { + +"use strict"; + + +/** @type {Record} */ +const headerNameLowerCasedRecord = {} + +// https://developer.mozilla.org/docs/Web/HTTP/Headers +const wellknownHeaderNames = [ + 'Accept', + 'Accept-Encoding', + 'Accept-Language', + 'Accept-Ranges', + 'Access-Control-Allow-Credentials', + 'Access-Control-Allow-Headers', + 'Access-Control-Allow-Methods', + 'Access-Control-Allow-Origin', + 'Access-Control-Expose-Headers', + 'Access-Control-Max-Age', + 'Access-Control-Request-Headers', + 'Access-Control-Request-Method', + 'Age', + 'Allow', + 'Alt-Svc', + 'Alt-Used', + 'Authorization', + 'Cache-Control', + 'Clear-Site-Data', + 'Connection', + 'Content-Disposition', + 'Content-Encoding', + 'Content-Language', + 'Content-Length', + 'Content-Location', + 'Content-Range', + 'Content-Security-Policy', + 'Content-Security-Policy-Report-Only', + 'Content-Type', + 'Cookie', + 'Cross-Origin-Embedder-Policy', + 'Cross-Origin-Opener-Policy', + 'Cross-Origin-Resource-Policy', + 'Date', + 'Device-Memory', + 'Downlink', + 'ECT', + 'ETag', + 'Expect', + 'Expect-CT', + 'Expires', + 'Forwarded', + 'From', + 'Host', + 'If-Match', + 'If-Modified-Since', + 'If-None-Match', + 'If-Range', + 'If-Unmodified-Since', + 'Keep-Alive', + 'Last-Modified', + 'Link', + 'Location', + 'Max-Forwards', + 'Origin', + 'Permissions-Policy', + 'Pragma', + 'Proxy-Authenticate', + 'Proxy-Authorization', + 'RTT', + 'Range', + 'Referer', + 'Referrer-Policy', + 'Refresh', + 'Retry-After', + 'Sec-WebSocket-Accept', + 'Sec-WebSocket-Extensions', + 'Sec-WebSocket-Key', + 'Sec-WebSocket-Protocol', + 'Sec-WebSocket-Version', + 'Server', + 'Server-Timing', + 'Service-Worker-Allowed', + 'Service-Worker-Navigation-Preload', + 'Set-Cookie', + 'SourceMap', + 'Strict-Transport-Security', + 'Supports-Loading-Mode', + 'TE', + 'Timing-Allow-Origin', + 'Trailer', + 'Transfer-Encoding', + 'Upgrade', + 'Upgrade-Insecure-Requests', + 'User-Agent', + 'Vary', + 'Via', + 'WWW-Authenticate', + 'X-Content-Type-Options', + 'X-DNS-Prefetch-Control', + 'X-Frame-Options', + 'X-Permitted-Cross-Domain-Policies', + 'X-Powered-By', + 'X-Requested-With', + 'X-XSS-Protection' +] + +for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i] + const lowerCasedKey = key.toLowerCase() + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = + lowerCasedKey +} + +// Note: object prototypes should not be able to be referenced. e.g. `Object#hasOwnProperty`. +Object.setPrototypeOf(headerNameLowerCasedRecord, null) + +module.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord +} + + /***/ }), /***/ 8045: @@ -58796,6 +58922,7 @@ const { InvalidArgumentError } = __nccwpck_require__(8045) const { Blob } = __nccwpck_require__(4300) const nodeUtil = __nccwpck_require__(3837) const { stringify } = __nccwpck_require__(3477) +const { headerNameLowerCasedRecord } = __nccwpck_require__(4462) const [nodeMajor, nodeMinor] = process.versions.node.split('.').map(v => Number(v)) @@ -59005,6 +59132,15 @@ function parseKeepAliveTimeout (val) { return m ? parseInt(m[1], 10) * 1000 : null } +/** + * Retrieves a header name and returns its lowercase value. + * @param {string | Buffer} value Header name + * @returns {string} + */ +function headerNameToString (value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase() +} + function parseHeaders (headers, obj = {}) { // For H2 support if (!Array.isArray(headers)) return headers @@ -59276,6 +59412,7 @@ module.exports = { isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -65923,14 +66060,18 @@ const { isBlobLike, toUSVString, ReadableStreamFrom } = __nccwpck_require__(3983 const assert = __nccwpck_require__(9491) const { isUint8Array } = __nccwpck_require__(9830) +let supportedHashes = [] + // https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable /** @type {import('crypto')|undefined} */ let crypto try { crypto = __nccwpck_require__(6113) + const possibleRelevantHashes = ['sha256', 'sha384', 'sha512'] + supportedHashes = crypto.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)) +/* c8 ignore next 3 */ } catch { - } function responseURL (response) { @@ -66458,66 +66599,56 @@ function bytesMatch (bytes, metadataList) { return true } - // 3. If parsedMetadata is the empty set, return true. + // 3. If response is not eligible for integrity validation, return false. + // TODO + + // 4. If parsedMetadata is the empty set, return true. if (parsedMetadata.length === 0) { return true } - // 4. Let metadata be the result of getting the strongest + // 5. Let metadata be the result of getting the strongest // metadata from parsedMetadata. - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)) - // get the strongest algorithm - const strongest = list[0].algo - // get all entries that use the strongest algorithm; ignore weaker - const metadata = list.filter((item) => item.algo === strongest) + const strongest = getStrongestMetadata(parsedMetadata) + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest) - // 5. For each item in metadata: + // 6. For each item in metadata: for (const item of metadata) { // 1. Let algorithm be the alg component of item. const algorithm = item.algo // 2. Let expectedValue be the val component of item. - let expectedValue = item.hash + const expectedValue = item.hash // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e // "be liberal with padding". This is annoying, and it's not even in the spec. - if (expectedValue.endsWith('==')) { - expectedValue = expectedValue.slice(0, -2) - } - // 3. Let actualValue be the result of applying algorithm to bytes. let actualValue = crypto.createHash(algorithm).update(bytes).digest('base64') - if (actualValue.endsWith('==')) { - actualValue = actualValue.slice(0, -2) + if (actualValue[actualValue.length - 1] === '=') { + if (actualValue[actualValue.length - 2] === '=') { + actualValue = actualValue.slice(0, -2) + } else { + actualValue = actualValue.slice(0, -1) + } } // 4. If actualValue is a case-sensitive match for expectedValue, // return true. - if (actualValue === expectedValue) { - return true - } - - let actualBase64URL = crypto.createHash(algorithm).update(bytes).digest('base64url') - - if (actualBase64URL.endsWith('==')) { - actualBase64URL = actualBase64URL.slice(0, -2) - } - - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true } } - // 6. Return false. + // 7. Return false. return false } // https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options // https://www.w3.org/TR/CSP2/#source-list-syntax // https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1 -const parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i +const parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i /** * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata @@ -66531,8 +66662,6 @@ function parseMetadata (metadata) { // 2. Let empty be equal to true. let empty = true - const supportedHashes = crypto.getHashes() - // 3. For each token returned by splitting metadata on spaces: for (const token of metadata.split(' ')) { // 1. Set empty to false. @@ -66542,7 +66671,11 @@ function parseMetadata (metadata) { const parsedToken = parseHashWithOptions.exec(token) // 3. If token does not parse, continue to the next token. - if (parsedToken === null || parsedToken.groups === undefined) { + if ( + parsedToken === null || + parsedToken.groups === undefined || + parsedToken.groups.algo === undefined + ) { // Note: Chromium blocks the request at this point, but Firefox // gives a warning that an invalid integrity was given. The // correct behavior is to ignore these, and subsequently not @@ -66551,11 +66684,11 @@ function parseMetadata (metadata) { } // 4. Let algorithm be the hash-algo component of token. - const algorithm = parsedToken.groups.algo + const algorithm = parsedToken.groups.algo.toLowerCase() // 5. If algorithm is a hash function recognized by the user // agent, add the parsed token to result. - if (supportedHashes.includes(algorithm.toLowerCase())) { + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups) } } @@ -66568,6 +66701,82 @@ function parseMetadata (metadata) { return result } +/** + * @param {{ algo: 'sha256' | 'sha384' | 'sha512' }[]} metadataList + */ +function getStrongestMetadata (metadataList) { + // Let algorithm be the algo component of the first item in metadataList. + // Can be sha256 + let algorithm = metadataList[0].algo + // If the algorithm is sha512, then it is the strongest + // and we can return immediately + if (algorithm[3] === '5') { + return algorithm + } + + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i] + // If the algorithm is sha512, then it is the strongest + // and we can break the loop immediately + if (metadata.algo[3] === '5') { + algorithm = 'sha512' + break + // If the algorithm is sha384, then a potential sha256 or sha384 is ignored + } else if (algorithm[3] === '3') { + continue + // algorithm is sha256, check if algorithm is sha384 and if so, set it as + // the strongest + } else if (metadata.algo[3] === '3') { + algorithm = 'sha384' + } + } + return algorithm +} + +function filterMetadataListByAlgorithm (metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList + } + + let pos = 0 + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i] + } + } + + metadataList.length = pos + + return metadataList +} + +/** + * Compares two base64 strings, allowing for base64url + * in the second string. + * +* @param {string} actualValue always base64 + * @param {string} expectedValue base64 or base64url + * @returns {boolean} + */ +function compareBase64Mixed (actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if ( + (actualValue[i] === '+' && expectedValue[i] === '-') || + (actualValue[i] === '/' && expectedValue[i] === '_') + ) { + continue + } + return false + } + } + + return true +} + // https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request function tryUpgradeRequestToAPotentiallyTrustworthyURL (request) { // TODO @@ -66983,7 +67192,8 @@ module.exports = { urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata } @@ -69070,12 +69280,17 @@ function parseLocation (statusCode, headers) { // https://tools.ietf.org/html/rfc7231#section-6.4.4 function shouldRemoveHeader (header, removeContent, unknownOrigin) { - return ( - (header.length === 4 && header.toString().toLowerCase() === 'host') || - (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) || - (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') || - (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie') - ) + if (header.length === 4) { + return util.headerNameToString(header) === 'host' + } + if (removeContent && util.headerNameToString(header).startsWith('content-')) { + return true + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header) + return name === 'authorization' || name === 'cookie' || name === 'proxy-authorization' + } + return false } // https://tools.ietf.org/html/rfc7231#section-6.4 diff --git a/dist/setup/index.js b/dist/setup/index.js index d558c611f..e28c3be0e 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -67150,6 +67150,132 @@ function onConnectTimeout (socket) { module.exports = buildConnector +/***/ }), + +/***/ 4462: +/***/ ((module) => { + +"use strict"; + + +/** @type {Record} */ +const headerNameLowerCasedRecord = {} + +// https://developer.mozilla.org/docs/Web/HTTP/Headers +const wellknownHeaderNames = [ + 'Accept', + 'Accept-Encoding', + 'Accept-Language', + 'Accept-Ranges', + 'Access-Control-Allow-Credentials', + 'Access-Control-Allow-Headers', + 'Access-Control-Allow-Methods', + 'Access-Control-Allow-Origin', + 'Access-Control-Expose-Headers', + 'Access-Control-Max-Age', + 'Access-Control-Request-Headers', + 'Access-Control-Request-Method', + 'Age', + 'Allow', + 'Alt-Svc', + 'Alt-Used', + 'Authorization', + 'Cache-Control', + 'Clear-Site-Data', + 'Connection', + 'Content-Disposition', + 'Content-Encoding', + 'Content-Language', + 'Content-Length', + 'Content-Location', + 'Content-Range', + 'Content-Security-Policy', + 'Content-Security-Policy-Report-Only', + 'Content-Type', + 'Cookie', + 'Cross-Origin-Embedder-Policy', + 'Cross-Origin-Opener-Policy', + 'Cross-Origin-Resource-Policy', + 'Date', + 'Device-Memory', + 'Downlink', + 'ECT', + 'ETag', + 'Expect', + 'Expect-CT', + 'Expires', + 'Forwarded', + 'From', + 'Host', + 'If-Match', + 'If-Modified-Since', + 'If-None-Match', + 'If-Range', + 'If-Unmodified-Since', + 'Keep-Alive', + 'Last-Modified', + 'Link', + 'Location', + 'Max-Forwards', + 'Origin', + 'Permissions-Policy', + 'Pragma', + 'Proxy-Authenticate', + 'Proxy-Authorization', + 'RTT', + 'Range', + 'Referer', + 'Referrer-Policy', + 'Refresh', + 'Retry-After', + 'Sec-WebSocket-Accept', + 'Sec-WebSocket-Extensions', + 'Sec-WebSocket-Key', + 'Sec-WebSocket-Protocol', + 'Sec-WebSocket-Version', + 'Server', + 'Server-Timing', + 'Service-Worker-Allowed', + 'Service-Worker-Navigation-Preload', + 'Set-Cookie', + 'SourceMap', + 'Strict-Transport-Security', + 'Supports-Loading-Mode', + 'TE', + 'Timing-Allow-Origin', + 'Trailer', + 'Transfer-Encoding', + 'Upgrade', + 'Upgrade-Insecure-Requests', + 'User-Agent', + 'Vary', + 'Via', + 'WWW-Authenticate', + 'X-Content-Type-Options', + 'X-DNS-Prefetch-Control', + 'X-Frame-Options', + 'X-Permitted-Cross-Domain-Policies', + 'X-Powered-By', + 'X-Requested-With', + 'X-XSS-Protection' +] + +for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i] + const lowerCasedKey = key.toLowerCase() + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = + lowerCasedKey +} + +// Note: object prototypes should not be able to be referenced. e.g. `Object#hasOwnProperty`. +Object.setPrototypeOf(headerNameLowerCasedRecord, null) + +module.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord +} + + /***/ }), /***/ 8045: @@ -67982,6 +68108,7 @@ const { InvalidArgumentError } = __nccwpck_require__(8045) const { Blob } = __nccwpck_require__(4300) const nodeUtil = __nccwpck_require__(3837) const { stringify } = __nccwpck_require__(3477) +const { headerNameLowerCasedRecord } = __nccwpck_require__(4462) const [nodeMajor, nodeMinor] = process.versions.node.split('.').map(v => Number(v)) @@ -68191,6 +68318,15 @@ function parseKeepAliveTimeout (val) { return m ? parseInt(m[1], 10) * 1000 : null } +/** + * Retrieves a header name and returns its lowercase value. + * @param {string | Buffer} value Header name + * @returns {string} + */ +function headerNameToString (value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase() +} + function parseHeaders (headers, obj = {}) { // For H2 support if (!Array.isArray(headers)) return headers @@ -68462,6 +68598,7 @@ module.exports = { isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -75109,14 +75246,18 @@ const { isBlobLike, toUSVString, ReadableStreamFrom } = __nccwpck_require__(3983 const assert = __nccwpck_require__(9491) const { isUint8Array } = __nccwpck_require__(9830) +let supportedHashes = [] + // https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable /** @type {import('crypto')|undefined} */ let crypto try { crypto = __nccwpck_require__(6113) + const possibleRelevantHashes = ['sha256', 'sha384', 'sha512'] + supportedHashes = crypto.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)) +/* c8 ignore next 3 */ } catch { - } function responseURL (response) { @@ -75644,66 +75785,56 @@ function bytesMatch (bytes, metadataList) { return true } - // 3. If parsedMetadata is the empty set, return true. + // 3. If response is not eligible for integrity validation, return false. + // TODO + + // 4. If parsedMetadata is the empty set, return true. if (parsedMetadata.length === 0) { return true } - // 4. Let metadata be the result of getting the strongest + // 5. Let metadata be the result of getting the strongest // metadata from parsedMetadata. - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)) - // get the strongest algorithm - const strongest = list[0].algo - // get all entries that use the strongest algorithm; ignore weaker - const metadata = list.filter((item) => item.algo === strongest) + const strongest = getStrongestMetadata(parsedMetadata) + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest) - // 5. For each item in metadata: + // 6. For each item in metadata: for (const item of metadata) { // 1. Let algorithm be the alg component of item. const algorithm = item.algo // 2. Let expectedValue be the val component of item. - let expectedValue = item.hash + const expectedValue = item.hash // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e // "be liberal with padding". This is annoying, and it's not even in the spec. - if (expectedValue.endsWith('==')) { - expectedValue = expectedValue.slice(0, -2) - } - // 3. Let actualValue be the result of applying algorithm to bytes. let actualValue = crypto.createHash(algorithm).update(bytes).digest('base64') - if (actualValue.endsWith('==')) { - actualValue = actualValue.slice(0, -2) + if (actualValue[actualValue.length - 1] === '=') { + if (actualValue[actualValue.length - 2] === '=') { + actualValue = actualValue.slice(0, -2) + } else { + actualValue = actualValue.slice(0, -1) + } } // 4. If actualValue is a case-sensitive match for expectedValue, // return true. - if (actualValue === expectedValue) { - return true - } - - let actualBase64URL = crypto.createHash(algorithm).update(bytes).digest('base64url') - - if (actualBase64URL.endsWith('==')) { - actualBase64URL = actualBase64URL.slice(0, -2) - } - - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true } } - // 6. Return false. + // 7. Return false. return false } // https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options // https://www.w3.org/TR/CSP2/#source-list-syntax // https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1 -const parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i +const parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i /** * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata @@ -75717,8 +75848,6 @@ function parseMetadata (metadata) { // 2. Let empty be equal to true. let empty = true - const supportedHashes = crypto.getHashes() - // 3. For each token returned by splitting metadata on spaces: for (const token of metadata.split(' ')) { // 1. Set empty to false. @@ -75728,7 +75857,11 @@ function parseMetadata (metadata) { const parsedToken = parseHashWithOptions.exec(token) // 3. If token does not parse, continue to the next token. - if (parsedToken === null || parsedToken.groups === undefined) { + if ( + parsedToken === null || + parsedToken.groups === undefined || + parsedToken.groups.algo === undefined + ) { // Note: Chromium blocks the request at this point, but Firefox // gives a warning that an invalid integrity was given. The // correct behavior is to ignore these, and subsequently not @@ -75737,11 +75870,11 @@ function parseMetadata (metadata) { } // 4. Let algorithm be the hash-algo component of token. - const algorithm = parsedToken.groups.algo + const algorithm = parsedToken.groups.algo.toLowerCase() // 5. If algorithm is a hash function recognized by the user // agent, add the parsed token to result. - if (supportedHashes.includes(algorithm.toLowerCase())) { + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups) } } @@ -75754,6 +75887,82 @@ function parseMetadata (metadata) { return result } +/** + * @param {{ algo: 'sha256' | 'sha384' | 'sha512' }[]} metadataList + */ +function getStrongestMetadata (metadataList) { + // Let algorithm be the algo component of the first item in metadataList. + // Can be sha256 + let algorithm = metadataList[0].algo + // If the algorithm is sha512, then it is the strongest + // and we can return immediately + if (algorithm[3] === '5') { + return algorithm + } + + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i] + // If the algorithm is sha512, then it is the strongest + // and we can break the loop immediately + if (metadata.algo[3] === '5') { + algorithm = 'sha512' + break + // If the algorithm is sha384, then a potential sha256 or sha384 is ignored + } else if (algorithm[3] === '3') { + continue + // algorithm is sha256, check if algorithm is sha384 and if so, set it as + // the strongest + } else if (metadata.algo[3] === '3') { + algorithm = 'sha384' + } + } + return algorithm +} + +function filterMetadataListByAlgorithm (metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList + } + + let pos = 0 + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i] + } + } + + metadataList.length = pos + + return metadataList +} + +/** + * Compares two base64 strings, allowing for base64url + * in the second string. + * +* @param {string} actualValue always base64 + * @param {string} expectedValue base64 or base64url + * @returns {boolean} + */ +function compareBase64Mixed (actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if ( + (actualValue[i] === '+' && expectedValue[i] === '-') || + (actualValue[i] === '/' && expectedValue[i] === '_') + ) { + continue + } + return false + } + } + + return true +} + // https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request function tryUpgradeRequestToAPotentiallyTrustworthyURL (request) { // TODO @@ -76169,7 +76378,8 @@ module.exports = { urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata } @@ -78256,12 +78466,17 @@ function parseLocation (statusCode, headers) { // https://tools.ietf.org/html/rfc7231#section-6.4.4 function shouldRemoveHeader (header, removeContent, unknownOrigin) { - return ( - (header.length === 4 && header.toString().toLowerCase() === 'host') || - (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) || - (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') || - (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie') - ) + if (header.length === 4) { + return util.headerNameToString(header) === 'host' + } + if (removeContent && util.headerNameToString(header).startsWith('content-')) { + return true + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header) + return name === 'authorization' || name === 'cookie' || name === 'proxy-authorization' + } + return false } // https://tools.ietf.org/html/rfc7231#section-6.4 diff --git a/package-lock.json b/package-lock.json index 958c21819..b2695779d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2210,12 +2210,12 @@ } }, "node_modules/braces": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", - "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", "dev": true, "dependencies": { - "fill-range": "^7.0.1" + "fill-range": "^7.1.1" }, "engines": { "node": ">=8" @@ -3064,9 +3064,9 @@ } }, "node_modules/fill-range": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", - "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", "dev": true, "dependencies": { "to-regex-range": "^5.0.1" @@ -5287,9 +5287,9 @@ } }, "node_modules/undici": { - "version": "5.28.3", - "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz", - "integrity": "sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==", + "version": "5.28.4", + "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.4.tgz", + "integrity": "sha512-72RFADWFqKmUb2hmmvNODKL3p9hcB6Gt2DOQMis1SEBaV6a4MH8soBvzg+95CYhCKPFedut2JY9bMfrDl9D23g==", "dependencies": { "@fastify/busboy": "^2.0.0" }, From a0d74c0c423f896bc4e7be91d5cb1e2d54438db3 Mon Sep 17 00:00:00 2001 From: Matthieu Darbois Date: Thu, 27 Jun 2024 20:18:32 +0200 Subject: [PATCH 2/3] fix(ci): update all failing workflows (#863) * fix(ci): update all failing workflows With `macos-latest` moving to `macos-14`, most workflows are currently failing. Update them to be able to run on `macos-latest` Don't test python 3.5 on ubuntu. It's been EOL for almost 4 years and there are now some certificate issues with pip. * review: remove test with python 3.5, 3.6 & 3.7 * add latest versions to e2e-tests.yml --- .github/workflows/e2e-cache.yml | 11 ++-- .github/workflows/e2e-tests.yml | 56 +++++++++---------- .github/workflows/test-graalpy.yml | 1 + .github/workflows/test-pypy.yml | 33 +++++------ .github/workflows/test-python.yml | 89 ++++++++++-------------------- 5 files changed, 79 insertions(+), 111 deletions(-) diff --git a/.github/workflows/e2e-cache.yml b/.github/workflows/e2e-cache.yml index 6db7088e5..0c73a0b0c 100644 --- a/.github/workflows/e2e-cache.yml +++ b/.github/workflows/e2e-cache.yml @@ -10,6 +10,7 @@ on: - releases/* paths-ignore: - '**.md' + workflow_dispatch: permissions: contents: read @@ -21,7 +22,7 @@ jobs: fail-fast: false matrix: os: [ubuntu-latest, windows-latest, macos-latest] - python-version: ['3.9', 'pypy-3.7-v7.x'] + python-version: ['3.9', 'pypy-3.9-v7.x'] steps: - uses: actions/checkout@v4 - name: Setup Python @@ -75,7 +76,7 @@ jobs: fail-fast: false matrix: os: [ubuntu-latest, windows-latest, macos-latest] - python-version: ['3.9', 'pypy-3.8'] + python-version: ['3.9', 'pypy-3.9'] steps: - uses: actions/checkout@v4 - name: Install poetry @@ -91,13 +92,13 @@ jobs: run: poetry install python-pip-dependencies-caching-path: - name: Test pip (Python ${{ matrix.python-version}}, ${{ matrix.os }}) + name: Test pip (Python ${{ matrix.python-version}}, ${{ matrix.os }}, caching path) runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: os: [ubuntu-latest, windows-latest, macos-latest] - python-version: ['3.9', 'pypy-3.7-v7.x'] + python-version: ['3.9', 'pypy-3.9-v7.x'] steps: - uses: actions/checkout@v4 - name: Setup Python @@ -110,7 +111,7 @@ jobs: run: pip install numpy pandas requests python-pipenv-dependencies-caching-path: - name: Test pipenv (Python ${{ matrix.python-version}}, ${{ matrix.os }}) + name: Test pipenv (Python ${{ matrix.python-version}}, ${{ matrix.os }}, caching path) runs-on: ${{ matrix.os }} strategy: fail-fast: false diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index d1f4b446e..a14739de1 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -9,6 +9,7 @@ on: pull_request: paths-ignore: - '**.md' + workflow_dispatch: jobs: test-setup-python: @@ -21,54 +22,47 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Run with setup-python 3.5 - uses: ./ - with: - python-version: 3.5 - - name: Verify 3.5 - run: python __tests__/verify-python.py 3.5 - - - name: Run with setup-python 3.6 + - name: Run with setup-python 3.8 uses: ./ with: - python-version: 3.6 - - name: Verify 3.6 - run: python __tests__/verify-python.py 3.6 + python-version: 3.8 + - name: Verify 3.8 + run: python __tests__/verify-python.py 3.8 - - name: Run with setup-python 3.7 + - name: Run with setup-python 3.8.10 uses: ./ with: - python-version: 3.7 - - name: Verify 3.7 - run: python __tests__/verify-python.py 3.7 + python-version: 3.8.10 + - name: Verify 3.8.10 + run: python __tests__/verify-python.py 3.8.10 - - name: Run with setup-python 3.8 + - name: Run with setup-python 3.9.13 uses: ./ with: - python-version: 3.8 - - name: Verify 3.8 - run: python __tests__/verify-python.py 3.8 + python-version: 3.9.13 + - name: Verify 3.9.13 + run: python __tests__/verify-python.py 3.9.13 - - name: Run with setup-python 3.7.5 + - name: Run with setup-python 3.9.13 uses: ./ with: - python-version: 3.7.5 - - name: Verify 3.7.5 - run: python __tests__/verify-python.py 3.7.5 + python-version: 3.10.11 + - name: Verify 3.10.11 + run: python __tests__/verify-python.py 3.10.11 - - name: Run with setup-python 3.6.7 + - name: Run with setup-python 3.11.9 uses: ./ with: - python-version: 3.6.7 - - name: Verify 3.6.7 - run: python __tests__/verify-python.py 3.6.7 + python-version: 3.11.9 + - name: Verify 3.11.9 + run: python __tests__/verify-python.py 3.11.9 - - name: Run with setup-python 3.8.1 + - name: Run with setup-python 3.12.4 uses: ./ with: - python-version: 3.8.1 - - name: Verify 3.8.1 - run: python __tests__/verify-python.py 3.8.1 + python-version: 3.12.4 + - name: Verify 3.12.4 + run: python __tests__/verify-python.py 3.12.4 - name: Run with setup-python 3.10 id: cp310 diff --git a/.github/workflows/test-graalpy.yml b/.github/workflows/test-graalpy.yml index febf0b860..fe8f497e1 100644 --- a/.github/workflows/test-graalpy.yml +++ b/.github/workflows/test-graalpy.yml @@ -9,6 +9,7 @@ on: pull_request: paths-ignore: - '**.md' + workflow_dispatch: jobs: setup-graalpy: diff --git a/.github/workflows/test-pypy.yml b/.github/workflows/test-pypy.yml index abf77bd6c..355bc2324 100644 --- a/.github/workflows/test-pypy.yml +++ b/.github/workflows/test-pypy.yml @@ -11,6 +11,7 @@ on: - '**.md' schedule: - cron: 30 3 * * * + workflow_dispatch: jobs: setup-pypy: @@ -22,16 +23,16 @@ jobs: os: [macos-latest, windows-latest, ubuntu-20.04, ubuntu-latest] pypy: - 'pypy-2.7' - - 'pypy-3.7' + - 'pypy-3.10' - 'pypy3.9' - - 'pypy-2.7-v7.3.4' - - 'pypy-3.7-v7.3.5' - - 'pypy-3.7-v7.3.4' - - 'pypy-3.7-v7.3.x' - - 'pypy-3.7-v7.x' - - 'pypy-2.7-v7.3.4rc1' - - 'pypy-3.8-nightly' - - 'pypy3.8-v7.3.7' + - 'pypy-2.7-v7.3.14' + - 'pypy-3.10-v7.3.15' + - 'pypy-3.10-v7.3.14' + - 'pypy-3.10-v7.3.x' + - 'pypy-3.10-v7.x' + - 'pypy-2.7-v7.3.12rc1' + - 'pypy-3.10-nightly' + - 'pypy3.10-v7.3.15' steps: - name: Checkout @@ -74,7 +75,7 @@ jobs: fail-fast: false matrix: os: [macos-latest, windows-latest, ubuntu-20.04, ubuntu-latest] - pypy: ['pypy2.7', 'pypy3.7', 'pypy3.8', 'pypy3.9-nightly'] + pypy: ['pypy2.7', 'pypy3.9', 'pypy3.10-nightly'] steps: - name: Checkout @@ -104,7 +105,7 @@ jobs: - name: Setup PyPy and check latest uses: ./ with: - python-version: 'pypy-3.7-v7.3.x' + python-version: 'pypy-3.10-v7.3.x' check-latest: true - name: PyPy and Python version run: python --version @@ -120,7 +121,7 @@ jobs: - name: Assert expected binaries (or symlinks) are present run: | - EXECUTABLE="pypy-3.7-v7.3.x" + EXECUTABLE="pypy-3.10-v7.3.x" EXECUTABLE=${EXECUTABLE/-/} # remove the first '-' in "pypy-X.Y" -> "pypyX.Y" to match executable name EXECUTABLE=${EXECUTABLE%%-*} # remove any -* suffixe ${EXECUTABLE} --version @@ -138,8 +139,8 @@ jobs: uses: ./ with: python-version: | - pypy-3.7-v7.3.x - pypy3.8 + pypy-3.10-v7.3.x + pypy3.9 check-latest: true - name: PyPy and Python version run: python --version @@ -155,14 +156,14 @@ jobs: - name: Assert expected binaries (or symlinks) are present run: | - EXECUTABLE="pypy-3.7-v7.3.x" + EXECUTABLE="pypy-3.10-v7.3.x" EXECUTABLE=${EXECUTABLE/-/} # remove the first '-' in "pypy-X.Y" -> "pypyX.Y" to match executable name EXECUTABLE=${EXECUTABLE%%-*} # remove any -* suffixe ${EXECUTABLE} --version shell: bash - name: Assert expected binaries (or symlinks) are present run: | - EXECUTABLE='pypy3.8' + EXECUTABLE='pypy3.9' EXECUTABLE=${EXECUTABLE/pypy-/pypy} # remove the first '-' in "pypy-X.Y" -> "pypyX.Y" to match executable name EXECUTABLE=${EXECUTABLE%%-*} # remove any -* suffixe ${EXECUTABLE} --version diff --git a/.github/workflows/test-python.yml b/.github/workflows/test-python.yml index 5982a8974..c8aef26cc 100644 --- a/.github/workflows/test-python.yml +++ b/.github/workflows/test-python.yml @@ -21,16 +21,10 @@ jobs: fail-fast: false matrix: os: [macos-latest, windows-latest, ubuntu-20.04, ubuntu-22.04] - python: [3.5.4, 3.6.7, 3.7.5, 3.8.15, 3.9.13] + python: [3.8.10, 3.9.13, 3.10.11, 3.11.9, 3.12.3] exclude: - os: ubuntu-22.04 - python: 3.5.4 - - os: ubuntu-22.04 - python: 3.6.7 - - os: ubuntu-22.04 - python: 3.7.5 - - os: windows-latest - python: 3.8.15 + python: 3.8.10 steps: - name: Checkout uses: actions/checkout@v4 @@ -65,16 +59,10 @@ jobs: fail-fast: false matrix: os: [macos-latest, windows-latest, ubuntu-20.04, ubuntu-22.04] - python: [3.5.4, 3.6.7, 3.7.5, 3.8.15, 3.9.13] + python: [3.8.10, 3.9.13, 3.10.11, 3.11.9, 3.12.3] exclude: - os: ubuntu-22.04 - python: 3.5.4 - - os: ubuntu-22.04 - python: 3.6.7 - - os: ubuntu-22.04 - python: 3.7.5 - - os: windows-latest - python: 3.8.15 + python: 3.8.10 steps: - name: Checkout uses: actions/checkout@v4 @@ -112,16 +100,10 @@ jobs: fail-fast: false matrix: os: [macos-latest, windows-latest, ubuntu-20.04, ubuntu-22.04] - python: [3.5.4, 3.6.7, 3.7.5, 3.8.15, 3.9.13] + python: [3.8.10, 3.9.13, 3.10.11, 3.11.9, 3.12.3] exclude: - os: ubuntu-22.04 - python: 3.5.4 - - os: ubuntu-22.04 - python: 3.6.7 - - os: ubuntu-22.04 - python: 3.7.5 - - os: windows-latest - python: 3.8.15 + python: 3.8.10 steps: - name: Checkout uses: actions/checkout@v4 @@ -157,16 +139,10 @@ jobs: fail-fast: false matrix: os: [macos-latest, windows-latest, ubuntu-20.04, ubuntu-22.04] - python: [3.5.4, 3.6.7, 3.7.5, 3.8.15, 3.9.13, '==3.10.10'] + python: [3.8.10, 3.9.13, 3.10.11, 3.11.9, '==3.12.3'] exclude: - os: ubuntu-22.04 - python: 3.5.4 - - os: ubuntu-22.04 - python: 3.6.7 - - os: ubuntu-22.04 - python: 3.7.5 - - os: windows-latest - python: 3.8.15 + python: 3.8.10 steps: - name: Checkout uses: actions/checkout@v4 @@ -207,16 +183,10 @@ jobs: fail-fast: false matrix: os: [macos-latest, windows-latest, ubuntu-20.04, ubuntu-22.04] - python: [3.5.4, 3.6.7, 3.7.5, 3.8.15, 3.9.13] + python: [3.8.10, 3.9.13, 3.10.11, 3.11.9, 3.12.3] exclude: - os: ubuntu-22.04 - python: 3.5.4 - - os: ubuntu-22.04 - python: 3.6.7 - - os: ubuntu-22.04 - python: 3.7.5 - - os: windows-latest - python: 3.8.15 + python: 3.8.10 steps: - name: Checkout uses: actions/checkout@v4 @@ -251,21 +221,21 @@ jobs: run: python -c 'import math; print(math.factorial(5))' setup-pre-release-version-from-manifest: - name: Setup 3.9.0-beta.4 ${{ matrix.os }} + name: Setup 3.13.0-alpha.6 ${{ matrix.os }} runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: - os: [macos-latest, windows-latest, ubuntu-20.04] + os: [macos-latest, windows-latest, ubuntu-20.04, ubuntu-22.04] steps: - name: Checkout uses: actions/checkout@v4 - - name: setup-python 3.9.0-beta.4 + - name: setup-python 3.13.0-alpha.6 id: setup-python uses: ./ with: - python-version: '3.9.0-beta.4' + python-version: '3.13.0-alpha.6' - name: Check python-path run: ./__tests__/check-python-path.sh '${{ steps.setup-python.outputs.python-path }}' @@ -274,8 +244,8 @@ jobs: - name: Validate version run: | $pythonVersion = (python --version) - if ("Python 3.9.0b4" -ne "$pythonVersion"){ - Write-Host "The current version is $pythonVersion; expected version is 3.9.0b4" + if ("Python 3.13.0a6" -ne "$pythonVersion"){ + Write-Host "The current version is $pythonVersion; expected version is 3.13.0a6" exit 1 } $pythonVersion @@ -285,7 +255,7 @@ jobs: run: python -c 'import math; print(math.factorial(5))' setup-dev-version: - name: Setup 3.9-dev ${{ matrix.os }} + name: Setup 3.13-dev ${{ matrix.os }} runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -295,25 +265,25 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: setup-python 3.9-dev + - name: setup-python 3.13-dev id: setup-python uses: ./ with: - python-version: '3.9-dev' + python-version: '3.13-dev' - name: Check python-path run: ./__tests__/check-python-path.sh '${{ steps.setup-python.outputs.python-path }}' shell: bash - name: Validate version - run: ${{ startsWith(steps.setup-python.outputs.python-version, '3.9.') }} + run: ${{ startsWith(steps.setup-python.outputs.python-version, '3.13.') }} shell: bash - name: Run simple code run: python -c 'import math; print(math.factorial(5))' setup-prerelease-version: - name: Setup 3.12 ${{ matrix.os }} + name: Setup 3.13 ${{ matrix.os }} runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -323,11 +293,11 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: setup-python 3.12 + - name: setup-python 3.13 id: setup-python uses: ./ with: - python-version: '3.12' + python-version: '3.13' allow-prereleases: true - name: Check python-path @@ -335,7 +305,7 @@ jobs: shell: bash - name: Validate version - run: ${{ startsWith(steps.setup-python.outputs.python-version, '3.12.') }} + run: ${{ startsWith(steps.setup-python.outputs.python-version, '3.13.') }} shell: bash - name: Run simple code @@ -348,7 +318,7 @@ jobs: fail-fast: false matrix: os: [macos-latest, windows-latest, ubuntu-20.04, ubuntu-22.04] - python: ['3.7', '3.8', '3.9', '3.10'] + python: ['3.8', '3.9', '3.10', '3.11', '3.12'] steps: - name: Checkout uses: actions/checkout@v4 @@ -372,7 +342,7 @@ jobs: fail-fast: false matrix: os: [ubuntu-latest, windows-latest, macos-latest] - python-version: ['3.8', '3.9', '3.10'] + python-version: ['3.8', '3.9', '3.10', '3.11', '3.12'] steps: - uses: actions/checkout@v4 - name: Setup Python and check latest @@ -402,16 +372,17 @@ jobs: uses: ./ with: python-version: | - 3.7 3.8 3.9 3.10 + 3.11 + 3.12 check-latest: true - name: Validate version run: | $pythonVersion = (python --version) - if ("$pythonVersion" -NotMatch "3.10"){ - Write-Host "The current version is $pythonVersion; expected version is 3.10" + if ("$pythonVersion" -NotMatch "3.12"){ + Write-Host "The current version is $pythonVersion; expected version is 3.12" exit 1 } $pythonVersion From 39cd14951b08e74b54015e9e001cdefcf80e669f Mon Sep 17 00:00:00 2001 From: gowridurgad <159780674+gowridurgad@users.noreply.github.com> Date: Wed, 10 Jul 2024 19:18:13 +0530 Subject: [PATCH 3/3] Documentation update for cache (#873) * updated doc * added note * modify1 * Update advanced-usage.md * Update 0000-caching-dependencies.md --------- Co-authored-by: gowridurgad --- docs/adrs/0000-caching-dependencies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/adrs/0000-caching-dependencies.md b/docs/adrs/0000-caching-dependencies.md index 8a172a077..7f9e4d047 100644 --- a/docs/adrs/0000-caching-dependencies.md +++ b/docs/adrs/0000-caching-dependencies.md @@ -18,7 +18,7 @@ Integration of caching functionality into `actions/setup-python` action will bri We will add support for Pip and Pipenv dependency caching. -We won't pursue the goal to provide wide customization of caching in the scope of `actions/setup-python` action. The purpose of this integration is to cover ~90% of basic use-cases. If users need flexible customization, we will advise them to use `actions/cache` directly. +We won't pursue the goal to provide wide customization of caching in the scope of `actions/setup-python` action. The purpose of this integration is to cover ~90% of basic use-cases. The action does not support dependency-specific caching for each job. If different dependencies are installed across jobs the cache from the first job will be used in the second job. To manage this aspect, users should create separate caches for jobs with different requirements. If users need flexible customization, we will advise them to use `actions/cache` directly. ## Decision