Harden environment lookup

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @shivammathur

.github/SECURITY.md

@@ -10,10 +10,10 @@ This security policy only applies to the latest patch releases of the following
 
 | Version | Supported          |
 |---------|--------------------|
-| 8.1     | :white_check_mark: |
 | 8.2     | :white_check_mark: |
 | 8.3     | :white_check_mark: |
 | 8.4     | :white_check_mark: |
+| 8.5     | :white_check_mark: |
 
 ## Reporting a Vulnerability
 

.github/dependabot.yml

@@ -1,7 +1,11 @@
 version: 2
 updates:
-- package-ecosystem: "github-actions"
-  directory: "/"
-  target-branch: "develop"
-  schedule:
-      interval: "weekly"
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    target-branch: 'develop'
+    schedule:
+      interval: 'weekly'
+    groups:
+      github-actions:
+        patterns:
+          - '*'

.github/workflows/codeql.yml

@@ -16,18 +16,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
         with:
           config-file: ./.github/codeql/codeql-configuration.yml
           languages: javascript
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4

.github/workflows/docs.yml

@@ -20,7 +20,7 @@ jobs:
         php-versions: ['5.3', '5.4', '5.5', '5.6', '7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4', '8.5', '8.6']
     steps:
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2
         with:
           php-version: ${{ matrix.php-versions }}
           tools: none
@@ -39,7 +39,7 @@ jobs:
         run: |
           php -m | Out-File -FilePath "$env:file.all" -Append
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2
         with:
           php-version: ${{ matrix.php-versions }}
           extensions: none
@@ -88,7 +88,7 @@ jobs:
           Remove-Item "$env:file.all" -Force
           Remove-Item "$env:file.builtin" -Force
       - name: Upload artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: lists-php${{ matrix.php-versions }}-${{ matrix.operating-system }}.md
           path: php${{ matrix.php-versions }}-${{ matrix.operating-system }}.md
@@ -101,11 +101,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           repository: ${{ github.repository }}.wiki
       - name: Download artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           path: ${{ github.workspace }}/lists
           pattern: lists-*

.github/workflows/node.yml

@@ -29,12 +29,12 @@ jobs:
         operating-system: [ubuntu-latest, windows-latest, macos-latest]
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 2
 
       - name: Setup Node.js 24.x
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 24.x
 
@@ -54,7 +54,7 @@ jobs:
         run: npm audit
 
       - name: Send Coverage
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: coverage/lcov.info

.github/workflows/php.yml

@@ -39,18 +39,18 @@ jobs:
       key: cache-v5
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup cache environment
         id: cache-env
-        uses: shivammathur/cache-extensions@develop
+        uses: shivammathur/cache-extensions@256729b5fef535345e27904657f78048c0990f81 # v1
         with:
           php-version: ${{ matrix.php-versions || env.default-php-version }}
           extensions: ${{ env.extensions }}
           key: ${{ env.key }}
 
       - name: Cache extensions
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: ${{ steps.cache-env.outputs.dir }}
           key: ${{ steps.cache-env.outputs.key }}

.github/workflows/publish.yml

@@ -20,16 +20,16 @@ jobs:
     steps:
       - name: Checkout release
         if: github.event_name != 'workflow_dispatch'
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Checkout tag
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         if: github.event_name == 'workflow_dispatch'
         with:
           ref: ${{ github.event.inputs.tag }}
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: '24.x'
           registry-url: https://registry.npmjs.org
@@ -45,7 +45,7 @@ jobs:
         run: npm publish --access public
 
       - name: Change to GitHub Packages registry
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           registry-url: https://npm.pkg.github.com
           scope: '@shivammathur'

__tests__/utils.test.ts

@@ -11,6 +11,12 @@ describe('Utils tests', () => {
     expect(await utils.readEnv('TEST')).toBe('setup-php');
     expect(await utils.readEnv('test_hyphen')).toBe('setup-php');
     expect(await utils.readEnv('TEST_HYPHEN')).toBe('setup-php');
+    expect(await utils.readEnv('test invalid')).toBe('');
+    process.env['conflict_hyphen'] = 'setup-php';
+    process.env['conflict-hyphen'] = 'wrong';
+    expect(await utils.readEnv('conflict_hyphen')).toBe('setup-php');
+    delete process.env['conflict_hyphen'];
+    delete process.env['conflict-hyphen'];
     expect(await utils.readEnv('undefined')).toBe('');
   });
 

src/utils.ts

@@ -9,16 +9,19 @@ import * as fetch from './fetch';
  * @param property
  */
 export async function readEnv(property: string): Promise<string> {
+  if (!/^[A-Za-z0-9_-]+$/.test(property)) {
+    return '';
+  }
   const property_lc: string = property.toLowerCase();
   const property_uc: string = property.toUpperCase();
-  return (
-    process.env[property] ||
-    process.env[property_lc] ||
-    process.env[property_uc] ||
-    process.env[property_lc.replace('_', '-')] ||
-    process.env[property_uc.replace('_', '-')] ||
-    ''
-  );
+  const candidates = [
+    property,
+    property_lc,
+    property_uc,
+    property_lc.replace('_', '-'),
+    property_uc.replace('_', '-')
+  ].filter((value, index, array) => array.indexOf(value) === index);
+  return candidates.map(name => process.env[name] || '').find(Boolean) || '';
 }
 
 /**