dependabot[bot] opened a new pull request, #38757: URL: https://github.com/apache/beam/pull/38757
Bumps [nanasess/setup-chromedriver](https://github.com/nanasess/setup-chromedriver) from 2 to 3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nanasess/setup-chromedriver/releases";>nanasess/setup-chromedriver's releases</a>.</em></p> <blockquote> <h2>v3.0.0</h2> <h2>Highlights</h2> <p><code>v3.0.0</code> is a major release that rewrites the action from the ground up. The installation logic is now implemented <strong>natively in TypeScript</strong> — the legacy shell/PowerShell scripts are no longer on the execution path — and the build toolchain has been hardened against supply-chain attacks.</p> <h3>Native TypeScript rewrite (<a href="https://redirect.github.com/nanasess/setup-chromedriver/issues/446";>#446</a>)</h3> <p>The Bash (<code>setup-chromedriver.sh</code>) and PowerShell (<code>setup-chromedriver.ps1</code>) installers have been replaced by a native TypeScript implementation, split into focused modules under <code>src/installer/</code>:</p> <ul> <li><code>http.ts</code> — <code>fetchText</code> / <code>fetchJson</code> with curl-like retry/redirect handling</li> <li><code>download.ts</code> — ZIP download & extraction via <code>@actions/tool-cache</code></li> <li><code>version.ts</code> — Chrome version detection + Chrome-for-Testing JSON resolution with fallback</li> <li><code>unix.ts</code> / <code>windows.ts</code> — platform-specific install (legacy <code>< 115</code> / modern split)</li> </ul> <p><strong>Behavioral parity is preserved</strong>: install locations (<code>/usr/local/bin/chromedriver</code>, <code>C:\SeleniumWebDrivers\ChromeDriver</code>) are unchanged, and PATH resolution via the well-known install directory continues to work without an explicit <code>core.addPath</code>. The legacy shell scripts are retained for one release cycle as an emergency rollback option.</p> <h3>Supply-chain hardening</h3> <ul> <li><strong>Migrated from yarn to pnpm</strong> (<a href="https://redirect.github.com/nanasess/setup-chromedriver/issues/456";>#456</a>) — install-time build scripts are blocked by default (<code>allowBuilds</code>), and freshly published versions are held back by a cooldown (<code>minimumReleaseAge</code>).</li> <li><strong>All external actions in CI workflows are now pinned to a full commit SHA</strong> (<a href="https://redirect.github.com/nanasess/setup-chromedriver/issues/450";>#450</a>).</li> </ul> <h3>ESM migration (<a href="https://redirect.github.com/nanasess/setup-chromedriver/issues/458";>#458</a>, <a href="https://redirect.github.com/nanasess/setup-chromedriver/issues/439";>#439</a>)</h3> <ul> <li>The codebase moved from CommonJS to <strong>ESM</strong>, and <code>@actions/tool-cache</code> was upgraded from 2.x to <strong>4.x</strong>.</li> </ul> <h3>Security fixes</h3> <ul> <li>Fixed a command-injection vector in Windows version detection (env-passing).</li> <li>Fixed cross-drive move failure (<code>EXDEV</code>) on Windows via <code>io.cp</code>.</li> <li>Added retry-with-backoff to downloads.</li> <li>Overrode <code>qs</code> to 6.15.2 to resolve a DoS advisory (<a href="https://redirect.github.com/nanasess/setup-chromedriver/issues/457";>#457</a>, <a href="https://redirect.github.com/nanasess/setup-chromedriver/issues/444";>#444</a>).</li> </ul> <h3>Testing</h3> <ul> <li>Container-compatibility tests are now a permanent PR gate (<a href="https://redirect.github.com/nanasess/setup-chromedriver/issues/453";>#453</a>).</li> <li>Added install/smoke tests for legacy ChromeDriver (<code>< 115</code>) (<a href="https://redirect.github.com/nanasess/setup-chromedriver/issues/454";>#454</a>).</li> </ul> <hr /> <h2>Breaking Changes</h2> <ul> <li>The action is now a <strong>native TypeScript / ESM</strong> implementation. The shell/PowerShell scripts are no longer executed (kept only for one-cycle rollback).</li> <li>Build/contribution workflow now requires <strong>pnpm</strong> (<code>corepack enable</code>) instead of yarn.</li> </ul> <blockquote> <p><strong>Note:</strong> The Node 24 runtime migration shipped in <code>v2.4.0</code>; there is no runtime change in <code>v3.0.0</code>.</p> </blockquote> <h2>Migration</h2> <p>Update your workflow reference to <code>@v3</code>. SHA pinning is recommended:</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nanasess/setup-chromedriver/commit/e913548694400f275b4070efcd90f47dbbc8914c";><code>e913548</code></a> Merge pull request <a href="https://redirect.github.com/nanasess/setup-chromedriver/issues/460";>#460</a> from nanasess/feature/release-v3</li> <li><a href="https://github.com/nanasess/setup-chromedriver/commit/8d115864e0f9ea5fb65d5899eb63c9c29e11cd09";><code>8d11586</code></a> chore: 不要な version フィールドを package.json から削除</li> <li><a href="https://github.com/nanasess/setup-chromedriver/commit/38db136ea1c8c72ce9be0a822ede1ea3e66670e3";><code>38db136</code></a> Merge pull request <a href="https://redirect.github.com/nanasess/setup-chromedriver/issues/458";>#458</a> from nanasess/feature/bump-tools-cache</li> <li><a href="https://github.com/nanasess/setup-chromedriver/commit/359dcf4bcdad3b43e9359658ed65d870fba72900";><code>359dcf4</code></a> fix: Windows でも動く cross-platform な test スクリプトへ変更</li> <li><a href="https://github.com/nanasess/setup-chromedriver/commit/ba85371ac543896c613d909002acf11bac4576e1";><code>ba85371</code></a> Merge remote-tracking branch 'origin/master' into feature/bump-tools-cache</li> <li><a href="https://github.com/nanasess/setup-chromedriver/commit/00fdb572942964279e2ba0bddd21bead46ef520e";><code>00fdb57</code></a> fix: selenium 統合テストの ESM サブパス import を修正</li> <li><a href="https://github.com/nanasess/setup-chromedriver/commit/f6b8cbe13309597107d2b267800bdbfb6ecd9674";><code>f6b8cbe</code></a> Merge pull request <a href="https://redirect.github.com/nanasess/setup-chromedriver/issues/457";>#457</a> from nanasess/security/qs-6.15.2</li> <li><a href="https://github.com/nanasess/setup-chromedriver/commit/249deb4f43d3315275f8dbd3937c04078c0704dd";><code>249deb4</code></a> style: prettier を全 TypeScript ファイルに適用</li> <li><a href="https://github.com/nanasess/setup-chromedriver/commit/5daf33a6f89a48623a6bfd783ead3f787b1e0195";><code>5daf33a</code></a> build: ESM へ移行し <code>@actions/tool-cache</code> を 4.x へ更新</li> <li><a href="https://github.com/nanasess/setup-chromedriver/commit/23ce89d00cf3468bdaea7b9ede9a6de6db711285";><code>23ce89d</code></a> fix(security): qs を 6.15.2 へ override し DoS 脆弱性を修正</li> <li>Additional commits viewable in <a href="https://github.com/nanasess/setup-chromedriver/compare/v2...v3";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
