build(deps): bump actions/download-artifact from 4 to 8

[dependabot]

Bumps actions/download-artifact from 4 to 8.

Release notes

Sourced from actions/download-artifact's releases.

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in actions/download-artifact#460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in actions/download-artifact#461

Full Changelog: actions/download-artifact@v7...v8.0.0

v7.0.0

v7 - What's new

[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/download-artifact#440
• Download Artifact Node24 support by @​salmanmkc in actions/download-artifact#415
• fix: update @​actions/artifact to fix Node.js 24 punycode deprecation by @​salmanmkc in actions/download-artifact#451
• prepare release v7.0.0 for Node.js 24 support by @​salmanmkc in actions/download-artifact#452

New Contributors

• @​patrikpolyak made their first contribution in actions/download-artifact#440
• @​salmanmkc made their first contribution in actions/download-artifact#415

Full Changelog: actions/download-artifact@v6.0.0...v7.0.0

v6.0.0

... (truncated)

Commits

• 3e5f45b Add regression tests for CJK characters (#471)
• e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
• 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
• f258da9 Add change docs
• ccc058e Fix linting issues
• bd7976b Add a setting to specify what to do on hash mismatch and default it to error
• ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
• 15999bf Add note about package bumps
• 974686e Bump the version to v8 and add release notes
• fbe48b1 Update test names to make it clearer what they do
• Additional commits viewable in compare view

[github-actions]

PR Analysis 📊

Changed Files Summary:

• JavaScript/TypeScript files: 0
• Test files: 0
• Documentation files: 0
• Configuration files: 2

CI Status: Running automated checks...

[github-actions]

Build Status ✅ Build successful

✅ Build completed successfully!

[github-actions]

Quick Checks Results

Check	Status
ESLint	✅
TypeScript	✅

✅ All quick checks passed!

[github-actions]

Dependency Audit Results

# npm audit report

aws-sdk  >=2.0.1
JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3 - https://github.com/advisories/GHSA-j965-2qgj-vjmq
fix available via `npm audit fix --force`
Will install aws-sdk@1.18.0, which is a breaking change
node_modules/aws-sdk

basic-ftp  <=5.3.0
Severity: high
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering - https://github.com/advisories/GHSA-rpmf-866q-6p89
fix available via `npm audit fix`
node_modules/basic-ftp

hono  <=4.12.15
Severity: moderate
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests - https://github.com/advisories/GHSA-9vqf-7f2p-gf9v
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection - https://github.com/advisories/GHSA-69xw-7hcm-h432
fix available via `npm audit fix`
node_modules/hono

ip-address  <=10.1.0
Severity: moderate
ip-address has XSS in Address6 HTML-emitting methods - https://github.com/advisories/GHSA-v2v4-37r5-5v8g
fix available via `npm audit fix`
node_modules/ip-address
  express-rate-limit  8.0.1 - 8.5.0
  Depends on vulnerable versions of ip-address
  node_modules/express-rate-limit

postcss  <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix --force`
Will install next@9.3.3, which is a breaking change
node_modules/next/node_modules/postcss
  next  9.3.4-canary.0 - 16.3.0-canary.5
  Depends on vulnerable versions of postcss
  node_modules/next

7 vulnerabilities (1 low, 5 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

Test Results ✅ Passed

Test Suites: 67 failed, 5 skipped, 480 passed, 547 of 552 total
Tests: 359 failed, 104 skipped, 30 todo, 10623 passed, 11116 total

✅ All tests passed! Ready for review.

View test output

Check the Actions tab for detailed test output.

[github-actions]

PR Status Summary

Check	Status
Quick Checks	✅ Passed
Tests	✅ Passed
Build	✅ Passed

✅ All checks passed! This PR is ready to merge. 🎉

[github-actions]

PR Analysis 📊

Changed Files Summary:

• JavaScript/TypeScript files: 0
• Test files: 0
• Documentation files: 0
• Configuration files: 2

CI Status: Running automated checks...

[github-actions]

Quick Checks Results

Check	Status
ESLint	✅
TypeScript	✅

✅ All quick checks passed!

[github-actions]

Dependency Audit Results

# npm audit report

aws-sdk  >=2.0.1
JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3 - https://github.com/advisories/GHSA-j965-2qgj-vjmq
fix available via `npm audit fix --force`
Will install aws-sdk@1.18.0, which is a breaking change
node_modules/aws-sdk

basic-ftp  <=5.3.0
Severity: high
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering - https://github.com/advisories/GHSA-rpmf-866q-6p89
fix available via `npm audit fix`
node_modules/basic-ftp

hono  <=4.12.15
Severity: moderate
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests - https://github.com/advisories/GHSA-9vqf-7f2p-gf9v
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection - https://github.com/advisories/GHSA-69xw-7hcm-h432
fix available via `npm audit fix`
node_modules/hono

ip-address  <=10.1.0
Severity: moderate
ip-address has XSS in Address6 HTML-emitting methods - https://github.com/advisories/GHSA-v2v4-37r5-5v8g
fix available via `npm audit fix`
node_modules/ip-address
  express-rate-limit  8.0.1 - 8.5.0
  Depends on vulnerable versions of ip-address
  node_modules/express-rate-limit

postcss  <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix --force`
Will install next@9.3.3, which is a breaking change
node_modules/next/node_modules/postcss
  next  9.3.4-canary.0 - 16.3.0-canary.5
  Depends on vulnerable versions of postcss
  node_modules/next

7 vulnerabilities (1 low, 5 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

Build Status ✅ Build successful

✅ Build completed successfully!

[github-actions]

Test Results ✅ Passed

Test Suites: 78 failed, 5 skipped, 468 passed, 546 of 551 total
Tests: 556 failed, 104 skipped, 42 todo, 10478 passed, 11180 total

✅ All tests passed! Ready for review.

View test output

Check the Actions tab for detailed test output.

[github-actions]

PR Status Summary

Check	Status
Quick Checks	✅ Passed
Tests	✅ Passed
Build	✅ Passed

✅ All checks passed! This PR is ready to merge. 🎉

[github-actions]

Dependency Audit Results

# npm audit report

@babel/plugin-transform-modules-systemjs  7.12.0 - 7.29.0
Severity: high
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input - https://github.com/advisories/GHSA-fv7c-fp4j-7gwp
fix available via `npm audit fix`
node_modules/@babel/plugin-transform-modules-systemjs

@opentelemetry/auto-instrumentations-node  <=0.74.0
Severity: high
Depends on vulnerable versions of @opentelemetry/sdk-node
Prometheus exporter process crash via malformed HTTP request - https://github.com/advisories/GHSA-q7rr-3cgh-j5r3
fix available via `npm audit fix --force`
Will install @opentelemetry/auto-instrumentations-node@0.76.0, which is a breaking change
node_modules/@opentelemetry/auto-instrumentations-node

@opentelemetry/exporter-prometheus  <0.217.0
Severity: high
Prometheus exporter process crash via malformed HTTP request - https://github.com/advisories/GHSA-q7rr-3cgh-j5r3
fix available via `npm audit fix --force`
Will install @opentelemetry/exporter-prometheus@0.218.0, which is a breaking change
node_modules/@opentelemetry/exporter-prometheus
node_modules/@opentelemetry/sdk-node/node_modules/@opentelemetry/exporter-prometheus
  @opentelemetry/sdk-node  <=0.216.0
  Depends on vulnerable versions of @opentelemetry/exporter-prometheus
  node_modules/@opentelemetry/sdk-node


@protobufjs/utf8  <=1.1.0
Severity: moderate
protobufjs has overlong UTF-8 decoding - https://github.com/advisories/GHSA-q6x5-8v7m-xcrf
fix available via `npm audit fix`
node_modules/@protobufjs/utf8

aws-sdk  >=2.0.1
JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3 - https://github.com/advisories/GHSA-j965-2qgj-vjmq
fix available via `npm audit fix --force`
Will install aws-sdk@1.18.0, which is a breaking change
node_modules/aws-sdk

basic-ftp  <=5.3.0
Severity: high
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering - https://github.com/advisories/GHSA-rpmf-866q-6p89
fix available via `npm audit fix`
node_modules/basic-ftp

brace-expansion  5.0.2 - 5.0.5
Severity: moderate
brace-expansion: Large numeric range defeats documented `max` DoS protection - https://github.com/advisories/GHSA-jxxr-4gwj-5jf2
fix available via `npm audit fix`
node_modules/@eslint/config-array/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion

fast-uri  <=3.1.1
Severity: high
fast-uri vulnerable to path traversal via percent-encoded dot segments - https://github.com/advisories/GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to host confusion via percent-encoded authority delimiters - https://github.com/advisories/GHSA-v39h-62p7-jpjc
fix available via `npm audit fix`
node_modules/fast-uri

fast-xml-builder  <=1.1.6
Severity: high
fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes - https://github.com/advisories/GHSA-5wm8-gmm8-39j9
fast-xml-builder Comment Value regex can be bypassed - https://github.com/advisories/GHSA-45c6-75p6-83cc
fix available via `npm audit fix`
node_modules/fast-xml-builder

ip-address  <=10.1.0
Severity: moderate
ip-address has XSS in Address6 HTML-emitting methods - https://github.com/advisories/GHSA-v2v4-37r5-5v8g
fix available via `npm audit fix`
node_modules/ip-address
  express-rate-limit  8.0.1 - 8.5.0
  Depends on vulnerable versions of ip-address
  node_modules/express-rate-limit

langsmith  <0.6.0
Severity: high
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning - https://github.com/advisories/GHSA-3644-q5cj-c5c7
fix available via `npm audit fix`
node_modules/langsmith

next  9.3.4-canary.0 - 16.3.0-canary.5
Severity: high
Next.js Vulnerable to Denial of Service with Server Components - https://github.com/advisories/GHSA-8h8q-6873-q5fj
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up - https://github.com/advisories/GHSA-26hh-7cqf-hhc6
Next.js's Middleware / Proxy redirects can be cache-poisoned - https://github.com/advisories/GHSA-3g8h-86w9-wvmq
Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces - https://github.com/advisories/GHSA-ffhc-5mcf-pf4q
Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting - https://github.com/advisories/GHSA-vfv6-92ff-j949
Next.js has cross-site scripting in beforeInteractive scripts with untrusted input - https://github.com/advisories/GHSA-gx5p-jg67-6x7h
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components - https://github.com/advisories/GHSA-mg66-mrh9-m8jx
Next.js has a Denial of Service in the Image Optimization API - https://github.com/advisories/GHSA-h64f-5h5j-jqjh
Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades - https://github.com/advisories/GHSA-c4j6-fc7j-m34r
Next.js has a Middleware / Proxy bypass through dynamic route parameter injection - https://github.com/advisories/GHSA-492v-c6pp-mqqv
Next.js vulnerable to cache poisoning in React Server Component responses - https://github.com/advisories/GHSA-wfc6-r584-vfw7
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - https://github.com/advisories/GHSA-267c-6grr-h53f
Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n - https://github.com/advisories/GHSA-36qx-fr4f-26g5
Depends on vulnerable versions of postcss
fix available via `npm audit fix --force`
Will install next@16.2.6, which is outside the stated dependency range
node_modules/next

postcss  <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix --force`
Will install next@16.2.6, which is outside the stated dependency range
node_modules/next/node_modules/postcss

protobufjs  <=7.5.7 || 8.0.0 - 8.1.6-experimental
Severity: high
protobuf.js: Code injection through bytes field defaults in generated toObject code - https://github.com/advisories/GHSA-66ff-xgx4-vchm
protobuf.js: Code injection through bytes field defaults in generated toObject code - https://github.com/advisories/GHSA-66ff-xgx4-vchm
protobuf.js: Denial of service from crafted field names in generated code - https://github.com/advisories/GHSA-2pr8-phx7-x9h3
protobuf.js: Denial of service from crafted field names in generated code - https://github.com/advisories/GHSA-2pr8-phx7-x9h3
protobuf.js: Prototype injection in generated message constructors - https://github.com/advisories/GHSA-fx83-v9x8-x52w
protobuf.js: Prototype injection in generated message constructors - https://github.com/advisories/GHSA-fx83-v9x8-x52w
protobuf.js: Code generation gadget after prototype pollution - https://github.com/advisories/GHSA-75px-5xx7-5xc7
protobuf.js: Code generation gadget after prototype pollution - https://github.com/advisories/GHSA-75px-5xx7-5xc7
protobuf.js: Process-wide denial of service through unsafe option paths - https://github.com/advisories/GHSA-jvwf-75h9-cwgg
protobuf.js: Process-wide denial of service through unsafe option paths - https://github.com/advisories/GHSA-jvwf-75h9-cwgg
protobuf.js: Denial of service through unbounded protobuf recursion - https://github.com/advisories/GHSA-685m-2w69-288q
protobuf.js: Denial of service through unbounded protobuf recursion - https://github.com/advisories/GHSA-685m-2w69-288q
protobufjs has overlong UTF-8 decoding - https://github.com/advisories/GHSA-q6x5-8v7m-xcrf
protobufjs has overlong UTF-8 decoding - https://github.com/advisories/GHSA-q6x5-8v7m-xcrf
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion - https://github.com/advisories/GHSA-jggg-4jg4-v7c6
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion - https://github.com/advisories/GHSA-jggg-4jg4-v7c6
fix available via `npm audit fix`
node_modules/@opentelemetry/otlp-transformer/node_modules/protobufjs
node_modules/protobufjs

qs  6.11.1 - 6.15.1
Severity: moderate
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
fix available via `npm audit fix`
node_modules/qs

tmp  <0.2.6
Severity: high
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape - https://github.com/advisories/GHSA-ph9p-34f9-6g65
fix available via `npm audit fix`
node_modules/tmp

ws  8.0.0 - 8.20.0
Severity: moderate
ws: Uninitialized memory disclosure - https://github.com/advisories/GHSA-58qx-3vcg-4xpx
fix available via `npm audit fix --force`
Will install ws@8.21.0, which is outside the stated dependency range
node_modules/engine.io-client/node_modules/ws
node_modules/engine.io/node_modules/ws
node_modules/socket.io-adapter/node_modules/ws
node_modules/ws
  engine.io  0.7.8 - 0.7.9 || 6.0.0 - 6.6.7
  Depends on vulnerable versions of ws
  node_modules/engine.io
  engine.io-client  0.7.0 || 0.7.8 - 0.7.9 || 6.0.0 - 6.6.4
  Depends on vulnerable versions of ws
  node_modules/engine.io-client
  socket.io-adapter  2.5.2 - 2.5.6
  Depends on vulnerable versions of ws
  node_modules/socket.io-adapter

22 vulnerabilities (1 low, 10 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

PR Analysis 📊

Changed Files Summary:

• JavaScript/TypeScript files: 0
• Test files: 0
• Documentation files: 0
• Configuration files: 2

CI Status: Running automated checks...

[github-actions]

Build Status ✅ Build successful

✅ Build completed successfully!

[github-actions]

Quick Checks Results

Check	Status
ESLint	✅
TypeScript	✅

✅ All quick checks passed!

[github-actions]

Test Results ✅ Passed

Test Suites: 69 failed, 5 skipped, 435 passed, 504 of 509 total
Tests: 529 failed, 104 skipped, 21 todo, 10342 passed, 10996 total

✅ All tests passed! Ready for review.

View test output

Check the Actions tab for detailed test output.

[github-actions]

PR Status Summary

Check	Status
Quick Checks	✅ Passed
Tests	✅ Passed
Build	✅ Passed

✅ All checks passed! This PR is ready to merge. 🎉