Skip to content

GitHub Actions: Removing set-env and add-path commands on November 16

On October 1, 2020, we published a CVE outlining a vulnerability in the set-env and add-path workflow commands feature of GitHub Actions, and announced that we would be deprecating those features. In addition, we began flagging to customers in their Actions logs about the coming deprecation and provided guidance on how to migrate to the replacement functionality.

Specific vulnerabilities introduced by these commands have been patched, but in order to completely close the attack vector we need to disable the set-env and add-path workflow commands.

Security and transparency are essential to maintaining your trust. Therefore, while our investigations show no evidence at this time of this vulnerability being exploited, out of an abundance of caution, we will disable those commands and start failing workflow runs that use them on November 16, 2020.

For details on how to use the new functionality and prevent your workflows from breaking please see https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/.

Update 11/19/2020: Version [v2.274.2](https://github.com/actions/runner/releases/tag/v2.274.2) of the GitHub Actions runner removes support for these commands and has been rolled out across GitHub.

New npm documentation site

Along with the release of version 7 of the npm CLI, we have updated the npm documentation site to add the documentation for the new release. In addition, we've made a number of user experience improvements to help you find what you're looking for.

  • Improved navigation: each page has site navigation on the left, and navigation of topics within the page on the right.
  • Search: the documentation contents are indexed and searchable at the top of each page.
  • Responsive design: when visiting the documentation site in a mobile device, these navigation elements move into menus.
  • Multiple versions of CLI documentation: documentation is available for both npm CLI v6 and v7; you can choose the version with the version picker dropdown on a CLI documentation page.

Screen shot of docs.npmjs.com in a graphical web browser

To give us feedback, please visit our feedback repository

To see what's next for npm, visit our public roadmap

See more

NuGet normalizes versions on publish

The Packages NuGet service now normalizes versions numbers on publish. An invalid semantic version (ex. v1.0.0.0.0.0) is not downloadable by NuGet clients and therefore a NuGet service is expected to normalize those versions (ex. v1.0.0.0.0.0 –> v1.0.0). Any original, non-normalized, version will be available in the verbatimVersion field. No changes to client configurations are required.

See more
View all changes