Skip to content

⬆️ Updates actions/setup-node action to v6#671

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/actions-setup-node-6.x
Open

⬆️ Updates actions/setup-node action to v6#671
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/actions-setup-node-6.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Oct 14, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
actions/setup-node action major v2v6
actions/setup-node action major v1v6
actions/setup-node action major v2.1.4v6.4.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

v6.3.0

Compare Source

What's Changed

Enhancements:

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:
Bug fixes:

New Contributors

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

Compare Source

v6.1.0

Compare Source

What's Changed

Enhancement:
Dependency updates:
Documentation update:

Full Changelog: actions/setup-node@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

Dependency Upgrades

Full Changelog: actions/setup-node@v5...v6.0.0

v6

Compare Source

v5

Compare Source

v5.0.0

Compare Source

What's Changed
Breaking Changes

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades
New Contributors

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

Compare Source

What's Changed
Bug fixes:
Enhancement:
Dependency update:
New Contributors

Full Changelogactions/setup-node@v4...v4.4.0

v4.3.0

Compare Source

What's Changed
Dependency updates
New Contributors

Full Changelog: actions/setup-node@v4...v4.3.0

v4.2.0

Compare Source

What's Changed
New Contributors

Full Changelog: actions/setup-node@v4...v4.2.0

v4.1.0

Compare Source

What's Changed
  • Resolve High Security Alerts by upgrading Dependencies by @​aparnajyothi-y in #​1132
  • Upgrade IA Publish by @​Jcambass in #​1134
  • Revise isGhes logic by @​jww3 in #​1148
  • Add architecture to cache key by @​pengx17 in #​843
    This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts.
    Note: This change may break previous cache keys as they will no longer be compatible with the new format.
New Contributors

Full Changelog: actions/setup-node@v4...v4.1.0

v4.0.4

Compare Source

What's Changed
Documentation changes:
New Contributors

Full Changelog: actions/setup-node@v4...v4.0.4

v4.0.3

Compare Source

What's Changed
Bug fixes:
Documentation changes:
Dependency updates:
New Contributors

Full Changelog: actions/setup-node@v4...v4.0.3

v4.0.2

Compare Source

What's Changed
New Contributors

Full Changelog: actions/setup-node@v4.0.1...v4.0.2

v4.0.1

Compare Source

What's Changed
New Contributors

Full Changelog: actions/setup-node@v4...v4.0.1

v4.0.0

Compare Source

What's Changed

In scope of this release we changed version of node runtime for action from node16 to node20 and updated dependencies in #​866

Besides, release contains such changes as:

New Contributors

Full Changelog: actions/setup-node@v3...v4.0.0

v4

Compare Source

v3.9.1

Compare Source

What's Changed

Full Changelog: actions/setup-node@v3...v3.9.1

v3.9.0

Compare Source

What's Changed
  • Upgrade @​actions/cache to 4.0.3 by @​gowridurgad in #​1270
    In scope of this release we updated actions/cache package to ensure continued support and compatibility, as older versions of the package are now deprecated. For more information please refer to the toolkit/cache.

Full Changelog: actions/setup-node@v3...v3.9.0

v3.8.2

Compare Source

What's Changed

Full Changelog: actions/setup-node@v3...v3.8.2

v3.8.1

Compare Source

What's Changed

In scope of this release, the filter was removed within the cache-save step by @​dmitry-shibanov in #​831. It is filtered and checked in the toolkit/cache library.

Full Changelog: actions/setup-node@v3...v3.8.1

v3.8.0

Compare Source

What's Changed

Bug fixes:
Feature implementations:
  • feat: handling the case where "node" is used for tool-versions file. by @​xytis in #​812
Documentation changes:
Update dependencies:

New Contributors

Full Changelog: actions/setup-node@v3...v3.8.0

v3.7.0

Compare Source

What's Changed

In scope of this release we added a logic to save an additional cache path for yarn 3 (related pull request and feature request). Moreover, we added functionality to use all the sub directories derived from cache-dependency-path input and add detect all dependencies directories to cache (related pull request and feature request).

Besides, we made such changes as:

New Contributors

Full Changelog: actions/setup-node@v3...v3.7.0

v3.6.0: Add Support for Nightly, Canary and RC builds for Node.js

Compare Source

In scope of this release we added support to download nightly, rc (#​611) and canary (#​619) Node.js distributions.

For nightly versions:
jobs:
  build:
    runs-on: ubuntu-latest
    name: Node sample
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '16-nightly'
      - run: npm ci
      - run: npm test
For canary versions:
jobs:
  build:
    runs-on: ubuntu-latest
    name: Node sample
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '16-v8-canary’
      - run: npm ci
      - run: npm test
For rc versions:
jobs:
  build:
    runs-on: ubuntu-latest
    name: Node sample
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '16.0.0-rc.1’
      - run: npm ci
      - run: npm test

Note: For more examples please refer to documentation.

Besides, we added the following changes as:

  • Updated minimatch: #​608
  • Fixed extra newline character in version output when reading from a file: #​625
  • Passed the token input through on GHES: #​595
  • Fixed issue with scoped registries are duplicated in npmrc: #​637

v3.5.1: Update @​actions/core and Print Node, Npm, Yarn versions

Compare Source

In scope of this release we updated actions/core to 1.10.0. Moreover, we added logic to print Nodejs, Npm, Yarn versions after installation.

v3.5.0: Add support for engines.node and Volta

Compare Source

In scope of this release we add support for engines.node. The action will be able to grab the version form package.json#engines.node. #​485. Moreover, we added support for Volta

Besides, we updated @​actions/core to 1.9.1 and @​actions/cache to 3.0.4

v3.4.1: Fix pnpm output and node-version output issues

Compare Source

In scope of this release we fixed bugs related to the pnpm 7.5.1 output issue from pnpm store path #​545. Moreover we fixed the issue with falling on node-version output #​540.

v3.4.0: Add support for asdf format and update actions/cache version to 3.0.0

Compare Source

In scope of this release we updated actions/cache package as the new version contains fixes for caching error handling. Moreover, we added support for asdf format as Node.js version file #​373. Besides, we introduced new output node-version and added npm-shrinkwrap.json to dependency file patterns: #​439

v3.3.0: Add support for lts/-n aliases

Compare Source

In scope of this release we added support for lts/-n aliases, improve logic for current, latest and node aliases to handle them from toolcache, update ncc package.

Support of lts/-n aliases
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
  with:
    node-version: lts/-1
- run: npm ci
- run: npm test
Minor improvements
  • Update zeit/ncc to vercel/ncc: #​476
  • Get latest version from cache if exists: #​496

v3.2.0: Add current, node, latest aliases

Compare Source

In scope of this release we added new aliases to install the latest Node.js version. #​483

steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
  with:
    node-version: current
- run: npm ci
- run: npm test

v3.1.1: Update actions/cache version to 2.0.2

Compare Source

In scope of this release we updated actions/cache package as the new version contains fixes related to GHES 3.5 (#​460)

v3.1.0: Add caching support on GHES 3.5

Compare Source

In scope of this release we added support for caching from GHES 3.5 and fixed download issue for files > 2GB during restore. Besides, we updated actions/cache dependency to 2.0.0 version.

v3.0.0

Compare Source

In scope of this release we changed version of the runtime Node.js for the setup-node action and updated package-lock.json file to v2.

Breaking Changes
  • With the update to Node 16 in #​414, all scripts will now be run with Node 16 rather than Node 12.
  • We removed deprecated version input (#​424). Please use node-version input instead.

v3

Compare Source

v2.5.2: Update @​actions/core for v2

Compare Source

In scope of this release we updated actions/core to 1.10.0 and actions/tool-cache to 1.7.2 for v2: #​713

v2.5.1: Fix logic of error handling for npm warning and uncaught exception

Compare Source

In scope of this release we fix logic of error handling related to caching (#​358) and (#​359).

In the previous behaviour we relied on stderr output to throw error. The warning messages from package managers can be written to the stderr's output. For now the action will throw an error only if exit code differs from zero. Besides, we add logic to сatch and log unhandled exceptions.

v2.5.0: Adding Node.js version file support

Compare Source

In scope of this release we add the node-version-file input and update actions/cache dependency to the latest version.

Adding Node.js version file support

The new input (node-version-file) provides functionality to specify the path to the file containing Node.js's version with such behaviour:

  • If the file does not exist the action will throw an error.
  • If you specify both node-version and node-version-file inputs, the action will use value from the node-version input and throw the following warning: Both node-version and node-version-file inputs are specified, only node-version will be used.
  • For now the action does not support all of the variety of values for Node.js version files. The action can handle values according to the documentation and values with v prefix (v14)
steps:
  - uses: actions/checkout@v2
  - name: Setup node from node version file
    uses: actions/setup-node@v2
    with:
      node-version-file: '.nvmrc'
  - run: npm install
  - run: npm test

Update actions/cache dependency to 1.0.8 version.

We updated actions/cache dependency to the latest version (1.0.8). For more information please refer to the toolkit/cache.

v2.4.1: Add "cache-hit" output

Compare Source

This release introduces a new output: cache-hit (#​327).

The cache-hit output contains boolean value indicating that an exact match was found for the key. It shows that the action uses already existing cache or not. The output is available only if cache is enabled.

v2.4.0: Support caching for mono repos and repositories with complex structure

Compare Source

This release introduces dependency caching support for mono repos and repositories with complex structure (#​305).

By default, the action searches for the dependency file (package-lock.json or yarn.lock) in the repository root. Use the cache-dependency-path input for cases when multiple dependency files are used, or they are located in different subdirectories. This input supports wildcards or a list of file names for caching multiple dependencies.

Yaml example:

steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
  with:
    node-version: 14
    cache: npm
    cache-dependency-path: 'sub-project/package-lock.json'

For more examples of using cache-dependency-path input, see the Advanced usage guide.

v2.3.2: Revert temporary fix

Compare Source

We had to disable pre-cached Node.js usage in the previous version due to the broken image cache. Now cache is fixed, so we can safely enable its usage again.
Thank you for understanding.

v2.3.1: Temporary maintenance fix.

Compare Source

Temporarily disabled usage of pre-cached Node.js.

v2.3.0: Support caching pnpm dependencies

Compare Source

This release introduces dependency caching support for the pnpm package manager (#​278).

Caching pnpm dependencies:

### This workflow uses actions that are not certified by GitHub.
### They are provided by a third-party and are governed by

### separate terms of service, privacy policy, and support
### documentation.

steps:
- uses: actions/checkout@v2
- uses: pnpm/action-setup@646cdf48217256a3d0b80361c5a50727664284f2
  with:
    version: 6.10.0
- uses: actions/setup-node@v2
  with:
    node-version: '14'
    cache: 'pnpm'
- run: pnpm install
- run: pnpm test

NOTE: pnpm caching support requires pnpm version >= 6.10.0

v2.2.0: Support caching dependencies and LTS aliases

Compare Source

This release brings two major features:

Supported version syntax

The node-version input supports the following syntax:

major versions: 12, 14, 16
more specific versions: 10.15, 14.2.0, 16.3.0
nvm LTS syntax: lts/erbium, lts/fermium, lts/*

Caching dependencies

The action has a built-in functionality for caching and restoring npm/yarn dependencies. Supported package managers are npm, yarn. The cache input is optional, and caching is turned off by default.

Caching npm dependencies:

steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
  with:
    node-version: '14'
    cache: 'npm'
- run: npm install
- run: npm test

Caching yarn dependencies:

steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
  with:
    node-version: '14'
    cache: 'yarn'
- run: yarn install
- run: yarn test

Yarn caching handles both yarn versions: 1 or 2.

At the moment, only lock files in the project root are supported.

v2.1.5: Release

Compare Source

Improve error and warning line number handling (problem matcher regex)

v2.1.4

Compare Source

The first stable release of actions/setup-node V2

v2.1.3: (beta)

Compare Source

  • Add support for specifying architecture of Node.JS

v2.1.2: (beta)

Compare Source

  • Updated communication with runner to use environment files rather then workflow commands

v2.1.1: (beta)

Compare Source

Switch to main branch of node-versions repository to consume latest added versions.

v2.1.0: (beta)

Compare Source

Added check-latest input option to query the versions manifest for latest version before checking for semver match in local VM cache first (the default). That's useful for ensuring you get latest as soon as it's released to the cache but at the cost of perf / reliability (much more likely to incur and download and extract).

Configuration

📅 Schedule: (in timezone Europe/Moscow)

  • Branch creation
    • "after 10pm every weekday,before 5am every weekday,every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@auto-assign auto-assign Bot requested a review from AlexRogalskiy October 14, 2025 23:08
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Oct 14, 2025

🏷️ [bumpr]
Next version:v1.14.1
Changes:v1.14.0...AlexRogalskiy:renovate/actions-setup-node-6.x

1 similar comment
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Oct 14, 2025

🏷️ [bumpr]
Next version:v1.14.1
Changes:v1.14.0...AlexRogalskiy:renovate/actions-setup-node-6.x

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Oct 14, 2025

Thanks for the PR!

This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.

github-actions[bot]
github-actions Bot reviewed Oct 14, 2025
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scan Summary

Tool Critical High Medium Low Status
Secrets Audit 0 426 0 0

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

@renovate renovate Bot force-pushed the renovate/actions-setup-node-6.x branch from a3f999b to 3bb5b0b Compare December 3, 2025 05:57
@renovate renovate Bot force-pushed the renovate/actions-setup-node-6.x branch from 3bb5b0b to 2e91fe2 Compare January 15, 2026 05:08
@renovate renovate Bot force-pushed the renovate/actions-setup-node-6.x branch from 2e91fe2 to a93913f Compare March 4, 2026 05:08
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 4, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary

CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL)

Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4

Patched version: 2.5.4

From: package-lock.jsonnpm/form-data@2.3.3

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@2.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: Handlebars.js has JavaScript Injection via AST Type Confusion

CVE: GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion (CRITICAL)

Affected versions: >= 4.0.0 < 4.7.9

Patched version: 4.7.9

From: package-lock.jsonnpm/@semantic-release/release-notes-generator@7.3.5npm/handlebars@4.7.7

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.7.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: npm json-schema is vulnerable to Prototype Pollution

CVE: GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution (CRITICAL)

Affected versions: < 0.4.0

Patched version: 0.4.0

From: package-lock.jsonnpm/json-schema@0.2.3

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/json-schema@0.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: Prototype Pollution in npm minimist

CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL)

Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4

Patched version: 1.2.6

From: package-lock.jsonnpm/cz-conventional-changelog@3.3.0npm/jest@27.0.0-next.2npm/jest-circus@26.6.3npm/@semantic-release/release-notes-generator@7.3.5npm/minimist@1.2.5

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimist@1.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm npm is 94.0% likely obfuscated

Confidence: 0.94

Location: Package overview

From: package-lock.jsonnpm/@semantic-release/npm@5.3.5npm/npm@6.14.11

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm@6.14.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate renovate Bot force-pushed the renovate/actions-setup-node-6.x branch from a93913f to 58d23c2 Compare April 19, 2026 10:07
github-actions[bot]
github-actions Bot reviewed Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scan Summary

Tool Critical High Medium Low Status
Secrets Audit 0 427 0 0

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

@renovate renovate Bot force-pushed the renovate/actions-setup-node-6.x branch from 58d23c2 to c222594 Compare April 20, 2026 04:54
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 20, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedeslint@​7.19.09110010050100
Addedjest@​27.0.0-next.21001006891100
Addedexpect@​26.6.21001007492100
Addedcz-conventional-changelog@​3.3.0991008975100
Addedgit-cz@​4.7.610010010080100
Addedhusky@​4.3.88310010080100
Addedeslint-plugin-github@​4.1.11001008287100
Addedeslint-plugin-import@​2.22.19710010084100
Addededitorconfig-checker@​3.3.09710010087100
Addedeslint-config-prettier@​6.15.010010010088100
Addedjest-circus@​26.6.3991009092100
Addedeslint-plugin-prettier@​3.3.110010010090100
Addedlint-staged@​10.5.49810010093100
Addedeslint-plugin-jest@​23.20.09910010097100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@AlexRogalskiy AlexRogalskiy Awaiting requested review from AlexRogalskiy

Assignees

No one assigned

Labels

security findings

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants