meta: bump actions/download-artifact from 7.0.0 to 8.0.0 by dependabot[bot] · Pull Request #62063 · nodejs/node

dependabot · 2026-03-01T18:33:24Z

Bumps actions/download-artifact from 7.0.0 to 8.0.0.

Release notes

Sourced from actions/download-artifact's releases.

v8.0.0

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Don't attempt to un-zip non-zipped downloads by @danwkennedy in actions/download-artifact#460

Add a setting to specify what to do on hash mismatch and default it to error by @danwkennedy in actions/download-artifact#461

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits

70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
f258da9 Add change docs
ccc058e Fix linting issues
bd7976b Add a setting to specify what to do on hash mismatch and default it to error
ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
15999bf Add note about package bumps
974686e Bump the version to v8 and add release notes
fbe48b1 Update test names to make it clearer what they do
96bf374 One more test fix
b8c4819 Fix skip decompress test
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@37930b1...70fc10c) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

nodejs-github-bot · 2026-03-01T18:33:29Z

Review requested:

@nodejs/actions

nodejs-github-bot · 2026-03-03T19:15:56Z

Commit Queue failed

- Loading data for nodejs/node/pull/62063
✔  Done loading data for nodejs/node/pull/62063
----------------------------------- PR info ------------------------------------
Title      meta: bump actions/download-artifact from 7.0.0 to 8.0.0 (#62063)
   ⚠  Could not retrieve the email or name of the PR author's from user's GitHub profile!
Branch     undefined:dependabot/github_actions/actions/download-artifact-8.0.0 -> nodejs:main
Labels     meta, author ready, dependencies, github_actions
Commits    1
 - meta: bump actions/download-artifact from 7.0.0 to 8.0.0
Committers 1
 - GitHub <noreply@github.com>
PR-URL: https://github.com/nodejs/node/pull/62063
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/62063
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
--------------------------------------------------------------------------------
   ℹ  This PR was created on Sun, 01 Mar 2026 18:33:24 GMT
   ✔  Approvals: 2
   ✔  - Luigi Pinca (@lpinca): https://github.com/nodejs/node/pull/62063#pullrequestreview-3873353873
   ✔  - Colin Ihrig (@cjihrig): https://github.com/nodejs/node/pull/62063#pullrequestreview-3876133383
   ✔  Last GitHub CI successful
   ℹ  Green GitHub CI is sufficient
--------------------------------------------------------------------------------
   ✔  No git cherry-pick in progress
   ✔  No git am in progress
   ✔  No git rebase in progress
--------------------------------------------------------------------------------
- Bringing origin/main up to date...
remote: Internal Server Error
fatal: unable to access 'https://github.com/nodejs/node/': The requested URL returned error: 500

https://github.com/nodejs/node/actions/runs/22638652214

nodejs-github-bot · 2026-03-08T16:25:30Z

Landed in 2a01d92

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@37930b1...70fc10c) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> PR-URL: #62063 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>

This MR contains the following updates: | Package | Update | Change | |---|---|---| | [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | patch | `25.8.0` → `25.8.1` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v25.8.1`](https://github.com/nodejs/node/releases/tag/v25.8.1): 2026-03-11, Version 25.8.1 (Current), @aduh95 [Compare Source](nodejs/node@v25.8.0...v25.8.1) ##### Notable Changes - \[[`ea87eea71a`](nodejs/node@ea87eea71a)] - **module**: fix extensionless CJS files in `"type": "module"` packages (Matteo Collina) [#62083](nodejs/node#62083) ##### Commits - \[[`bab750d1b3`](nodejs/node@bab750d1b3)] - **build**: do not depend on V8 deps on `--without-bundled-v8` builds (Antoine du Hamel) [#62033](nodejs/node#62033) - \[[`b26d1c7fcb`](nodejs/node@b26d1c7fcb)] - **crypto**: make --use-system-ca per-env rather than per-process (Aditi) [#60678](nodejs/node#60678) - \[[`e362635abf`](nodejs/node@e362635abf)] - **crypto**: add missing AES dictionaries (Filip Skokan) [#62099](nodejs/node#62099) - \[[`6f975db8af`](nodejs/node@6f975db8af)] - **crypto**: fix importKey required argument count check (Filip Skokan) [#62099](nodejs/node#62099) - \[[`3beaf9c5fc`](nodejs/node@3beaf9c5fc)] - **deps**: update amaro to 1.1.8 (Node.js GitHub Bot) [#62151](nodejs/node#62151) - \[[`53afb0edd8`](nodejs/node@53afb0edd8)] - **deps**: update sqlite to 3.52.0 (Node.js GitHub Bot) [#62150](nodejs/node#62150) - \[[`a13ed052a1`](nodejs/node@a13ed052a1)] - **deps**: update merve to 1.2.0 (Node.js GitHub Bot) [#62149](nodejs/node#62149) - \[[`2c850577b7`](nodejs/node@2c850577b7)] - **deps**: patch resb crate (Richard Lau) [#62138](nodejs/node#62138) - \[[`37862a6728`](nodejs/node@37862a6728)] - **deps**: V8: cherry-pick [`aa0b288`](nodejs/node@aa0b288f87cc) (Richard Lau) [#62136](nodejs/node#62136) - \[[`09191ad8b4`](nodejs/node@09191ad8b4)] - **deps**: update ada to 3.4.3 (Node.js GitHub Bot) [#62049](nodejs/node#62049) - \[[`8d63a178fd`](nodejs/node@8d63a178fd)] - **doc**: copyedit `addons.md` (Antoine du Hamel) [#62071](nodejs/node#62071) - \[[`83719ffb64`](nodejs/node@83719ffb64)] - **doc**: correct `util.convertProcessSignalToExitCode` validation behavior (René) [#62134](nodejs/node#62134) - \[[`eeee7c7fb1`](nodejs/node@eeee7c7fb1)] - **doc**: add efekrskl as triager (Efe) [#61876](nodejs/node#61876) - \[[`db150b2e69`](nodejs/node@db150b2e69)] - **doc**: fix markdown for `expectFailure` values (Jacob Smith) [#62100](nodejs/node#62100) - \[[`d55a441e60`](nodejs/node@d55a441e60)] - **doc**: add title to index (Aviv Keller) [#62046](nodejs/node#62046) - \[[`cc46204b48`](nodejs/node@cc46204b48)] - **doc**: include url.resolve() in DEP0169 application deprecation (Mike McCready) [#62002](nodejs/node#62002) - \[[`1d91a7261e`](nodejs/node@1d91a7261e)] - **doc,module**: add missing doc for syncHooks.deregister() (Joyee Cheung) [#61959](nodejs/node#61959) - \[[`5198573bee`](nodejs/node@5198573bee)] - **http**: fix use-after-free when freeParser is called during llhttp\_execute (Gerhard Stöbich) [#62095](nodejs/node#62095) - \[[`f8793f80df`](nodejs/node@f8793f80df)] - **lib**: fix source map url parse in dynamic imports (Chengzhong Wu) [#61990](nodejs/node#61990) - \[[`5439d0e0cf`](nodejs/node@5439d0e0cf)] - **meta**: bump actions/download-artifact from 7.0.0 to 8.0.0 (dependabot\[bot]) [#62063](nodejs/node#62063) - \[[`27fd21943a`](nodejs/node@27fd21943a)] - **meta**: bump actions/upload-artifact from 6.0.0 to 7.0.0 (dependabot\[bot]) [#62062](nodejs/node#62062) - \[[`5b266f3295`](nodejs/node@5b266f3295)] - **meta**: bump step-security/harden-runner from 2.14.2 to 2.15.0 (dependabot\[bot]) [#62064](nodejs/node#62064) - \[[`ea87eea71a`](nodejs/node@ea87eea71a)] - **module**: fix extensionless CJS files in `"type": "module"` packages (Matteo Collina) [#62083](nodejs/node#62083) - \[[`851228cd60`](nodejs/node@851228cd60)] - **sqlite**: handle stmt invalidation (Guilherme Araújo) [#61877](nodejs/node#61877) - \[[`19efe60548`](nodejs/node@19efe60548)] - **src**: expose async context frame debugging helper to JS (Anna Henningsen) [#62103](nodejs/node#62103) - \[[`0257e8072f`](nodejs/node@0257e8072f)] - **src**: make AsyncWrap subclass internal field counts explicit (Anna Henningsen) [#62103](nodejs/node#62103) - \[[`975dafbe3b`](nodejs/node@975dafbe3b)] - **src**: release context frame in AsyncWrap::EmitDestroy (Gerhard Stöbich) [#61995](nodejs/node#61995) - \[[`f2c08c7888`](nodejs/node@f2c08c7888)] - **src**: use validate\_ascii\_with\_errors instead of validate\_ascii (Сковорода Никита Андреевич) [#61122](nodejs/node#61122) - \[[`0278461d83`](nodejs/node@0278461d83)] - **stream**: optimize webstreams pipeTo (Mattias Buelens) [#62079](nodejs/node#62079) - \[[`4d62e95bfa`](nodejs/node@4d62e95bfa)] - **stream**: fix brotli error handling in web compression streams (Filip Skokan) [#62107](nodejs/node#62107) - \[[`4bdcaf2865`](nodejs/node@4bdcaf2865)] - **stream**: improve Web Compression spec compliance (Filip Skokan) [#62107](nodejs/node#62107) - \[[`a5b1be2045`](nodejs/node@a5b1be2045)] - **stream**: fix UTF-8 character corruption in fast-utf8-stream (Matteo Collina) [#61745](nodejs/node#61745) - \[[`5632446c4e`](nodejs/node@5632446c4e)] - **stream**: fix TransformStream race on cancel with pending write (Marco) [#62040](nodejs/node#62040) - \[[`f90fa9cd1a`](nodejs/node@f90fa9cd1a)] - **stream**: accept ArrayBuffer in CompressionStream and DecompressionStream (조수민) [#61913](nodejs/node#61913) - \[[`00319eaa3a`](nodejs/node@00319eaa3a)] - **test**: update WPT for url to [`c928b19`](nodejs/node@c928b19ab0) (Node.js GitHub Bot) [#62148](nodejs/node#62148) - \[[`456abc7d20`](nodejs/node@456abc7d20)] - **test**: update WPT for WebCryptoAPI to [`c9e9558`](nodejs/node@c9e955840a) (Node.js GitHub Bot) [#62147](nodejs/node#62147) - \[[`82770cb7d3`](nodejs/node@82770cb7d3)] - **test**: improve WPT report runner (Filip Skokan) [#62107](nodejs/node#62107) - \[[`cfc847d233`](nodejs/node@cfc847d233)] - **test**: update WPT compression to [`ae05f5c`](nodejs/node@ae05f5cb53) (Filip Skokan) [#62107](nodejs/node#62107) - \[[`80f78f2737`](nodejs/node@80f78f2737)] - **test**: update WPT for WebCryptoAPI to [`42e4732`](nodejs/node@42e47329fd) (Node.js GitHub Bot) [#62048](nodejs/node#62048) - \[[`8048e0508c`](nodejs/node@8048e0508c)] - **test**: fix skipping behavior for `test-runner-run-files-undefined` (Antoine du Hamel) [#62026](nodejs/node#62026) - \[[`699a6214c6`](nodejs/node@699a6214c6)] - **tools**: revert timezone update GHA workflow to ubuntu-latest (Richard Lau) [#62140](nodejs/node#62140) - \[[`1a453b550c`](nodejs/node@1a453b550c)] - **tools**: improve error handling in test426 update script (Rich Trott) [#62121](nodejs/node#62121) - \[[`710dde5ee2`](nodejs/node@710dde5ee2)] - **tools**: fix `--node-builtin-modules-path` value in `shell.nix` (Antoine du Hamel) [#62102](nodejs/node#62102) - \[[`dcb1cbb21f`](nodejs/node@dcb1cbb21f)] - **tools**: bump the eslint group across 1 directory with 2 updates (dependabot\[bot]) [#62092](nodejs/node#62092) - \[[`7d0b758583`](nodejs/node@7d0b758583)] - **tools**: fix daily wpt workflow nighly release version lookup (Filip Skokan) [#62076](nodejs/node#62076) - \[[`3e8c816f2e`](nodejs/node@3e8c816f2e)] - **tools**: fix example in release proposal linter (Richard Lau) [#62074](nodejs/node#62074) - \[[`772d3d270d`](nodejs/node@772d3d270d)] - **tools**: bump minimatch from 3.1.3 to 3.1.5 in /tools/clang-format (dependabot\[bot]) [#62013](nodejs/node#62013) - \[[`92f3b42672`](nodejs/node@92f3b42672)] - **tools**: bump eslint to v10, babel to v8.0.0-rc.2 (Huáng Jùnliàng) [#61905](nodejs/node#61905) - \[[`deead95ec5`](nodejs/node@deead95ec5)] - **url**: suppress warnings from url.format/url.resolve inside node\_modules (René) [#62005](nodejs/node#62005) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

dependabot bot added dependencies Pull requests that update a dependency file. github_actions Pull requests that update GitHub Actions code labels Mar 1, 2026

nodejs-github-bot added the meta Issues and PRs related to the general management of the project. label Mar 1, 2026

lpinca approved these changes Mar 1, 2026

View reviewed changes

cjihrig approved these changes Mar 2, 2026

View reviewed changes

aduh95 added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue Add this label to land a pull request using GitHub Actions. labels Mar 2, 2026

nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Mar 3, 2026

UlisesGascon approved these changes Mar 3, 2026

View reviewed changes

aduh95 added commit-queue Add this label to land a pull request using GitHub Actions. and removed commit-queue-failed An error occurred while landing this pull request using GitHub Actions. labels Mar 8, 2026

nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 8, 2026

nodejs-github-bot merged commit 2a01d92 into main Mar 8, 2026
57 checks passed

nodejs-github-bot deleted the dependabot/github_actions/actions/download-artifact-8.0.0 branch March 8, 2026 16:25

github-actions bot mentioned this pull request Mar 10, 2026

2026-03-11, Version 25.8.1 (Current) #62184

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

meta: bump actions/download-artifact from 7.0.0 to 8.0.0#62063

meta: bump actions/download-artifact from 7.0.0 to 8.0.0#62063
nodejs-github-bot merged 1 commit intomainfrom
dependabot/github_actions/actions/download-artifact-8.0.0

dependabot bot commented on behalf of github Mar 1, 2026

Uh oh!

nodejs-github-bot commented Mar 1, 2026

Uh oh!

nodejs-github-bot commented Mar 3, 2026

Uh oh!

Uh oh!

nodejs-github-bot commented Mar 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Uh oh!

Conversation

dependabot bot commented on behalf of github Mar 1, 2026

v8.0.0

v8 - What's new

Direct downloads

Enforced checks (breaking)

ESM

What's Changed

Uh oh!

nodejs-github-bot commented Mar 1, 2026

Uh oh!

nodejs-github-bot commented Mar 3, 2026

Uh oh!

Uh oh!

nodejs-github-bot commented Mar 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants