docs: add CI tests badge to README

- Upgraded @actions/core 1.x -> 2.x (removes bundled vulnerable undici)
- Upgraded @actions/github 6.x -> 7.x (ESM-compatible with ncc)
- Upgraded @actions/http-client to ^4.0.1
- Upgraded @typescript-eslint/parser to ^7.x (matches plugin version)
- Upgraded uuid dev dep to ^11.1.1
- Added npm overrides and yarn resolutions to pin undici >= 6.26.0, braces >= 3.0.3, micromatch >= 4.0.8
- Rebuilt dist with updated dependencies

Resolves: undici CVE-2026-1526, CVE-2026-2229, braces CVE-2024-4068, micromatch CVE-2024-4067

README.md

@@ -2,6 +2,7 @@
 
 [![GitHub Release][ico-release]][link-github-release]
 [![License][ico-license]](LICENSE)
+[![Tests][ico-tests]][link-tests]
 
 A Github Action for sending a webhook event any endpoint
 
@@ -15,7 +16,7 @@ Example:
 
 ```yml
 - name: Webhook
-  uses: joelwmale/webhook-action@master
+  uses: joelwmale/webhook-action@v2
   with:
     url: ${{ secrets.WEBHOOK_URL }}
     headers: '{"repository": "joelwmale/webhook-action"}'
@@ -23,19 +24,21 @@ Example:
     github_event_payload: true
 ```
 
-It is **highly** recommended to use the action is an explicit commit SHA-1:
+Pin to a specific version for stability:
 
-`uses = "joelwmale/webhook-action@{SHA-1}"` to find a commit click [here.](https://github.com/joelwmale/webhook-action/commits/master)
+```yml
+uses: joelwmale/webhook-action@v2.4.2
+```
 
 ## Action Input
 
 The action has support for the following input variables (arguments):
 
-* **`url`** (**required**): The url to send the webhook to
-* **`headers`** (**optional**): Any headers you want to be sent with the webhook
-* **`body`** (**optional**): The body of data send with the webhook
-* **`insecure`** (**optional**): Enables calling to known self-signed or invalid SSL certificates
-* **`github_event_payload`** (**optional**): Enables forwarding the Github event payload to your webhook.
+- **`url`** (**required**): The url to send the webhook to
+- **`headers`** (**optional**): Any headers you want to be sent with the webhook
+- **`body`** (**optional**): The body of data send with the webhook
+- **`insecure`** (**optional**): Enables calling to known self-signed or invalid SSL certificates
+- **`github_event_payload`** (**optional**): Enables forwarding the Github event payload to your webhook.
 
 You can find more information on how to use these input variables below.
 
@@ -47,14 +50,14 @@ You can find more information on how to use these input variables below.
 
 The URL to send the webhook to
 
-```yml 
-  url: ${{ secrets.WEBHOOK_URL }}
+```yml
+url: ${{ secrets.WEBHOOK_URL }}
 ```
 
 or
 
-```yml 
-  url: https://webhook.site/8b1b1b1b-8b1b-8b1b-8b1b-8b1b1b1b1b1b
+```yml
+url: https://webhook.site/8b1b1b1b-8b1b-8b1b-8b1b-8b1b1b1b1b1b
 ```
 
 #### Headers
@@ -63,8 +66,8 @@ or
 
 Allows you to send custom headers with the request
 
-```yml 
-  headers: '{"repository": "joelwmale/webhook-action"}'
+```yml
+headers: '{"repository": "joelwmale/webhook-action"}'
 ```
 
 #### Body
@@ -74,8 +77,8 @@ Allows you to send custom headers with the request
 
 Allows you to send a custom JSON object to the webhook
 
-```yml 
-  body: '{"event": "deployment", "repository": "joelwmale/webhook-action"}'
+```yml
+body: '{"event": "deployment", "repository": "joelwmale/webhook-action"}'
 ```
 
 #### Insecure
@@ -85,8 +88,8 @@ Allows you to send a custom JSON object to the webhook
 
 Allows you to send a webhook to a known self-signed or invalid SSL certificate
 
-```yml 
-  insecure: true
+```yml
+insecure: true
 ```
 
 #### Github Event Payload
@@ -98,8 +101,8 @@ Allows you to send the Github event payload to your webhook
 
 The payload will be sent as a JSON object under the key `githubEventPayload` on the root of the payload sent to your webhook
 
-```yml 
-  github_event_payload: true
+```yml
+github_event_payload: true
 ```
 
 ## Issues
@@ -112,4 +115,6 @@ The MIT License (MIT). Please see [License File](LICENSE) for more information.
 
 [ico-release]: https://img.shields.io/github/tag/joelwmale/webhook-action.svg
 [ico-license]: https://img.shields.io/badge/license-MIT-brightgreen.svg
-[link-github-release]: https://github.com/joelwmale/webhook-action/releases
+[ico-tests]: https://github.com/joelwmale/webhook-action/actions/workflows/tests.yml/badge.svg
+[link-github-release]: https://github.com/joelwmale/webhook-action/releases
+[link-tests]: https://github.com/joelwmale/webhook-action/actions/workflows/tests.yml

dist/101.index.js

@@ -0,0 +1,451 @@
+"use strict";
+exports.id = 101;
+exports.ids = [101];
+exports.modules = {
+
+/***/ 9101:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   toFormData: () => (/* binding */ toFormData)
+/* harmony export */ });
+/* harmony import */ var fetch_blob_from_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(9802);
+/* harmony import */ var formdata_polyfill_esm_min_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3018);
+
+
+
+let s = 0;
+const S = {
+	START_BOUNDARY: s++,
+	HEADER_FIELD_START: s++,
+	HEADER_FIELD: s++,
+	HEADER_VALUE_START: s++,
+	HEADER_VALUE: s++,
+	HEADER_VALUE_ALMOST_DONE: s++,
+	HEADERS_ALMOST_DONE: s++,
+	PART_DATA_START: s++,
+	PART_DATA: s++,
+	END: s++
+};
+
+let f = 1;
+const F = {
+	PART_BOUNDARY: f,
+	LAST_BOUNDARY: f *= 2
+};
+
+const LF = 10;
+const CR = 13;
+const SPACE = 32;
+const HYPHEN = 45;
+const COLON = 58;
+const A = 97;
+const Z = 122;
+
+const lower = c => c | 0x20;
+
+const noop = () => {};
+
+class MultipartParser {
+	/**
+	 * @param {string} boundary
+	 */
+	constructor(boundary) {
+		this.index = 0;
+		this.flags = 0;
+
+		this.onHeaderEnd = noop;
+		this.onHeaderField = noop;
+		this.onHeadersEnd = noop;
+		this.onHeaderValue = noop;
+		this.onPartBegin = noop;
+		this.onPartData = noop;
+		this.onPartEnd = noop;
+
+		this.boundaryChars = {};
+
+		boundary = '\r\n--' + boundary;
+		const ui8a = new Uint8Array(boundary.length);
+		for (let i = 0; i < boundary.length; i++) {
+			ui8a[i] = boundary.charCodeAt(i);
+			this.boundaryChars[ui8a[i]] = true;
+		}
+
+		this.boundary = ui8a;
+		this.lookbehind = new Uint8Array(this.boundary.length + 8);
+		this.state = S.START_BOUNDARY;
+	}
+
+	/**
+	 * @param {Uint8Array} data
+	 */
+	write(data) {
+		let i = 0;
+		const length_ = data.length;
+		let previousIndex = this.index;
+		let {lookbehind, boundary, boundaryChars, index, state, flags} = this;
+		const boundaryLength = this.boundary.length;
+		const boundaryEnd = boundaryLength - 1;
+		const bufferLength = data.length;
+		let c;
+		let cl;
+
+		const mark = name => {
+			this[name + 'Mark'] = i;
+		};
+
+		const clear = name => {
+			delete this[name + 'Mark'];
+		};
+
+		const callback = (callbackSymbol, start, end, ui8a) => {
+			if (start === undefined || start !== end) {
+				this[callbackSymbol](ui8a && ui8a.subarray(start, end));
+			}
+		};
+
+		const dataCallback = (name, clear) => {
+			const markSymbol = name + 'Mark';
+			if (!(markSymbol in this)) {
+				return;
+			}
+
+			if (clear) {
+				callback(name, this[markSymbol], i, data);
+				delete this[markSymbol];
+			} else {
+				callback(name, this[markSymbol], data.length, data);
+				this[markSymbol] = 0;
+			}
+		};
+
+		for (i = 0; i < length_; i++) {
+			c = data[i];
+
+			switch (state) {
+				case S.START_BOUNDARY:
+					if (index === boundary.length - 2) {
+						if (c === HYPHEN) {
+							flags |= F.LAST_BOUNDARY;
+						} else if (c !== CR) {
+							return;
+						}
+
+						index++;
+						break;
+					} else if (index - 1 === boundary.length - 2) {
+						if (flags & F.LAST_BOUNDARY && c === HYPHEN) {
+							state = S.END;
+							flags = 0;
+						} else if (!(flags & F.LAST_BOUNDARY) && c === LF) {
+							index = 0;
+							callback('onPartBegin');
+							state = S.HEADER_FIELD_START;
+						} else {
+							return;
+						}
+
+						break;
+					}
+
+					if (c !== boundary[index + 2]) {
+						index = -2;
+					}
+
+					if (c === boundary[index + 2]) {
+						index++;
+					}
+
+					break;
+				case S.HEADER_FIELD_START:
+					state = S.HEADER_FIELD;
+					mark('onHeaderField');
+					index = 0;
+					// falls through
+				case S.HEADER_FIELD:
+					if (c === CR) {
+						clear('onHeaderField');
+						state = S.HEADERS_ALMOST_DONE;
+						break;
+					}
+
+					index++;
+					if (c === HYPHEN) {
+						break;
+					}
+
+					if (c === COLON) {
+						if (index === 1) {
+							// empty header field
+							return;
+						}
+
+						dataCallback('onHeaderField', true);
+						state = S.HEADER_VALUE_START;
+						break;
+					}
+
+					cl = lower(c);
+					if (cl < A || cl > Z) {
+						return;
+					}
+
+					break;
+				case S.HEADER_VALUE_START:
+					if (c === SPACE) {
+						break;
+					}
+
+					mark('onHeaderValue');
+					state = S.HEADER_VALUE;
+					// falls through
+				case S.HEADER_VALUE:
+					if (c === CR) {
+						dataCallback('onHeaderValue', true);
+						callback('onHeaderEnd');
+						state = S.HEADER_VALUE_ALMOST_DONE;
+					}
+
+					break;
+				case S.HEADER_VALUE_ALMOST_DONE:
+					if (c !== LF) {
+						return;
+					}
+
+					state = S.HEADER_FIELD_START;
+					break;
+				case S.HEADERS_ALMOST_DONE:
+					if (c !== LF) {
+						return;
+					}
+
+					callback('onHeadersEnd');
+					state = S.PART_DATA_START;
+					break;
+				case S.PART_DATA_START:
+					state = S.PART_DATA;
+					mark('onPartData');
+					// falls through
+				case S.PART_DATA:
+					previousIndex = index;
+
+					if (index === 0) {
+						// boyer-moore derrived algorithm to safely skip non-boundary data
+						i += boundaryEnd;
+						while (i < bufferLength && !(data[i] in boundaryChars)) {
+							i += boundaryLength;
+						}
+
+						i -= boundaryEnd;
+						c = data[i];
+					}
+
+					if (index < boundary.length) {
+						if (boundary[index] === c) {
+							if (index === 0) {
+								dataCallback('onPartData', true);
+							}
+
+							index++;
+						} else {
+							index = 0;
+						}
+					} else if (index === boundary.length) {
+						index++;
+						if (c === CR) {
+							// CR = part boundary
+							flags |= F.PART_BOUNDARY;
+						} else if (c === HYPHEN) {
+							// HYPHEN = end boundary
+							flags |= F.LAST_BOUNDARY;
+						} else {
+							index = 0;
+						}
+					} else if (index - 1 === boundary.length) {
+						if (flags & F.PART_BOUNDARY) {
+							index = 0;
+							if (c === LF) {
+								// unset the PART_BOUNDARY flag
+								flags &= ~F.PART_BOUNDARY;
+								callback('onPartEnd');
+								callback('onPartBegin');
+								state = S.HEADER_FIELD_START;
+								break;
+							}
+						} else if (flags & F.LAST_BOUNDARY) {
+							if (c === HYPHEN) {
+								callback('onPartEnd');
+								state = S.END;
+								flags = 0;
+							} else {
+								index = 0;
+							}
+						} else {
+							index = 0;
+						}
+					}
+
+					if (index > 0) {
+						// when matching a possible boundary, keep a lookbehind reference
+						// in case it turns out to be a false lead
+						lookbehind[index - 1] = c;
+					} else if (previousIndex > 0) {
+						// if our boundary turned out to be rubbish, the captured lookbehind
+						// belongs to partData
+						const _lookbehind = new Uint8Array(lookbehind.buffer, lookbehind.byteOffset, lookbehind.byteLength);
+						callback('onPartData', 0, previousIndex, _lookbehind);
+						previousIndex = 0;
+						mark('onPartData');
+
+						// reconsider the current character even so it interrupted the sequence
+						// it could be the beginning of a new sequence
+						i--;
+					}
+
+					break;
+				case S.END:
+					break;
+				default:
+					throw new Error(`Unexpected state entered: ${state}`);
+			}
+		}
+
+		dataCallback('onHeaderField');
+		dataCallback('onHeaderValue');
+		dataCallback('onPartData');
+
+		// Update properties for the next call
+		this.index = index;
+		this.state = state;
+		this.flags = flags;
+	}
+
+	end() {
+		if ((this.state === S.HEADER_FIELD_START && this.index === 0) ||
+			(this.state === S.PART_DATA && this.index === this.boundary.length)) {
+			this.onPartEnd();
+		} else if (this.state !== S.END) {
+			throw new Error('MultipartParser.end(): stream ended unexpectedly');
+		}
+	}
+}
+
+function _fileName(headerValue) {
+	// matches either a quoted-string or a token (RFC 2616 section 19.5.1)
+	const m = headerValue.match(/\bfilename=("(.*?)"|([^()<>@,;:\\"/[\]?={}\s\t]+))($|;\s)/i);
+	if (!m) {
+		return;
+	}
+
+	const match = m[2] || m[3] || '';
+	let filename = match.slice(match.lastIndexOf('\\') + 1);
+	filename = filename.replace(/%22/g, '"');
+	filename = filename.replace(/&#(\d{4});/g, (m, code) => {
+		return String.fromCharCode(code);
+	});
+	return filename;
+}
+
+async function toFormData(Body, ct) {
+	if (!/multipart/i.test(ct)) {
+		throw new TypeError('Failed to fetch');
+	}
+
+	const m = ct.match(/boundary=(?:"([^"]+)"|([^;]+))/i);
+
+	if (!m) {
+		throw new TypeError('no or bad content-type header, no multipart boundary');
+	}
+
+	const parser = new MultipartParser(m[1] || m[2]);
+
+	let headerField;
+	let headerValue;
+	let entryValue;
+	let entryName;
+	let contentType;
+	let filename;
+	const entryChunks = [];
+	const formData = new formdata_polyfill_esm_min_js__WEBPACK_IMPORTED_MODULE_1__/* .FormData */ .fS();
+
+	const onPartData = ui8a => {
+		entryValue += decoder.decode(ui8a, {stream: true});
+	};
+
+	const appendToFile = ui8a => {
+		entryChunks.push(ui8a);
+	};
+
+	const appendFileToFormData = () => {
+		const file = new fetch_blob_from_js__WEBPACK_IMPORTED_MODULE_0__/* .File */ .ZH(entryChunks, filename, {type: contentType});
+		formData.append(entryName, file);
+	};
+
+	const appendEntryToFormData = () => {
+		formData.append(entryName, entryValue);
+	};
+
+	const decoder = new TextDecoder('utf-8');
+	decoder.decode();
+
+	parser.onPartBegin = function () {
+		parser.onPartData = onPartData;
+		parser.onPartEnd = appendEntryToFormData;
+
+		headerField = '';
+		headerValue = '';
+		entryValue = '';
+		entryName = '';
+		contentType = '';
+		filename = null;
+		entryChunks.length = 0;
+	};
+
+	parser.onHeaderField = function (ui8a) {
+		headerField += decoder.decode(ui8a, {stream: true});
+	};
+
+	parser.onHeaderValue = function (ui8a) {
+		headerValue += decoder.decode(ui8a, {stream: true});
+	};
+
+	parser.onHeaderEnd = function () {
+		headerValue += decoder.decode();
+		headerField = headerField.toLowerCase();
+
+		if (headerField === 'content-disposition') {
+			// matches either a quoted-string or a token (RFC 2616 section 19.5.1)
+			const m = headerValue.match(/\bname=("([^"]*)"|([^()<>@,;:\\"/[\]?={}\s\t]+))/i);
+
+			if (m) {
+				entryName = m[2] || m[3] || '';
+			}
+
+			filename = _fileName(headerValue);
+
+			if (filename) {
+				parser.onPartData = appendToFile;
+				parser.onPartEnd = appendFileToFormData;
+			}
+		} else if (headerField === 'content-type') {
+			contentType = headerValue;
+		}
+
+		headerValue = '';
+		headerField = '';
+	};
+
+	for await (const chunk of Body) {
+		parser.write(chunk);
+	}
+
+	parser.end();
+
+	return formData;
+}
+
+
+/***/ })
+
+};
+;

package.json

@@ -1,51 +1,60 @@
 {
-    "name": "webhook-action",
-    "version": "2.4.1",
-    "description": "Github Webhook Action",
-    "main": "dist/main.js",
-    "scripts": {
-        "build": "tsc && ncc build --license licenses.txt",
-        "format": "prettier --write '**/*.ts'",
-        "format-check": "prettier --check '**/*.ts'",
-        "lint": "eslint src/**/*.ts",
-        "test": "jest",
-        "all": "npm run format && npm run lint && npm run test&& npm run build"
-    },
-    "repository": {
-        "type": "git",
-        "url": "git+https://github.com/joelwmale/webhook-action.git"
-    },
-    "keywords": [
-        "github",
-        "actions",
-        "node",
-        "webhook",
-        "action"
-    ],
-    "author": "Joel Male",
-    "license": "MIT",
-    "dependencies": {
-        "@actions/core": "^1.10.1",
-        "@actions/github": "^6.0.0",
-        "@vercel/ncc": "^0.38.1",
-        "node-fetch": "^3.3.2"
-    },
-    "devDependencies": {
-        "@babel/preset-env": "^7.20.2",
-        "@types/node": "^18.19.26",
-        "@typescript-eslint/eslint-plugin": "^7.4.0",
-        "@typescript-eslint/parser": "^5.62.0",
-        "babel-jest": "^29.3.1",
-        "eslint": "^8.57.0",
-        "eslint-plugin-github": "^4.10.2",
-        "eslint-plugin-jest": "^27.9.0",
-        "https": "^1.0.0",
-        "jest": "^29.7.0",
-        "js-yaml": "^4.1.0",
-        "prettier": "3.2.5",
-        "semver": "^7.6.0",
-        "ts-jest": "^29.0.3",
-        "typescript": "^5.4.3",
-        "uuid": "^9.0.0"
-    }
+  "name": "webhook-action",
+  "version": "2.4.2",
+  "description": "Github Webhook Action",
+  "main": "dist/main.js",
+  "scripts": {
+    "build": "tsc && ncc build --license licenses.txt",
+    "format": "prettier --write '**/*.ts'",
+    "format-check": "prettier --check '**/*.ts'",
+    "lint": "eslint src/**/*.ts",
+    "test": "jest",
+    "all": "npm run format && npm run lint && npm run test&& npm run build"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/joelwmale/webhook-action.git"
+  },
+  "keywords": [
+    "github",
+    "actions",
+    "node",
+    "webhook",
+    "action"
+  ],
+  "author": "Joel Male",
+  "license": "MIT",
+  "dependencies": {
+    "@actions/core": "^2.0.3",
+    "@actions/github": "^7.0.0",
+    "@actions/http-client": "^4.0.1",
+    "@vercel/ncc": "^0.38.4",
+    "node-fetch": "^3.3.2"
+  },
+  "devDependencies": {
+    "@babel/preset-env": "^7.20.2",
+    "@types/node": "^18.19.26",
+    "@typescript-eslint/eslint-plugin": "^7.4.0",
+    "@typescript-eslint/parser": "^7.18.0",
+    "babel-jest": "^29.3.1",
+    "eslint": "^8.57.0",
+    "eslint-plugin-github": "^4.10.2",
+    "eslint-plugin-jest": "^27.9.0",
+    "https": "^1.0.0",
+    "jest": "^29.7.0",
+    "js-yaml": "^4.1.0",
+    "prettier": "3.2.5",
+    "semver": "^7.6.0",
+    "ts-jest": "^29.0.3",
+    "typescript": "^5.4.3",
+    "uuid": "^11.1.1"
+  },
+  "overrides": {
+    "undici": "^6.26.0"
+  },
+  "resolutions": {
+    "undici": "^6.26.0",
+    "braces": "^3.0.3",
+    "micromatch": "^4.0.8"
+  }
 }