[@actions/artifact] Transitive dependency `buffers` has no declared license

[horie1024]

Summary

@actions/artifact (used by actions/upload-artifact and actions/download-artifact) transitively depends on the npm package buffers, which does not declare a license and whose source repository has been deleted.

This makes it difficult for organizations with strict OSS license policies to adopt or continue using the official artifact actions.

Dependency chain

@actions/artifact
└── unzip-stream ^0.3.1                       (MIT)
    └── binary ^0.3.0                          (MIT, by substack)
        └── buffers ~0.1.1                     (NO LICENSE — by substack)

The buffers package is bundled into the published dist/index.js of both actions/upload-artifact and
actions/download-artifact (verified via signature strings such as "Tried to push a non-buffer").

Evidence

buffers has no license

• npm registry entry: https://www.npmjs.com/package/buffers
  • license field: not present
  • Last published in 2013
• GitHub repository referenced in package.json (github.com/substack/node-buffers) returns 404 — the repository has been deleted.
• The published tarball contains no LICENSE file:

$ tar tzf buffers-0.1.1.tgz
package/examples/slice.js
package/examples/splice.js
package/index.js
package/package.json
package/README.markdown
package/test/buffers.js

Lockfile references

• actions/upload-artifact lockfile — node_modules/buffers entry has no license field
• actions/download-artifact lockfile — same

Why this matters

Many organizations classify "no declared license" as not redistributable / not usable by default, since using such code is technically copyright infringement (the absence of a
license grants no permissions). Even though GitHub Actions are run server-side, the bundled JavaScript is executed by the runner and constitutes use of the unlicensed code.

Several of our internal teams currently treat the official artifact actions as a policy exception, but it would be much cleaner if @actions/artifact did not pull in unlicensed code at all.

Suggested fixes (in order of preference)

1. Replace unzip-stream with a maintained alternative that does not depend on binary/buffers. Candidates:

• unzipper (MIT) — actively maintained, similar streaming API
• yauzl (MIT) — well-maintained, used by VS Code
• Node.js built-in zlib + custom ZIP parsing

2. If keeping unzip-stream, file an upstream issue with mhr3/unzip-stream requesting they replace binary with an equivalent that does not
   depend on the unlicensed buffers.
3. As a temporary workaround, override the resolution to point buffers → node-buffers (a re-publication of the same code by
   dashevo with an explicit MIT/X11 license). This requires a package.json overrides block, but bundles correctly.

Reproduction

# Inspect the bundled action
curl -fsSL https://raw.githubusercontent.com/actions/upload-artifact/main/dist/upload/index.js \
  | grep -c "Tried to push a non-buffer"
# 1   ← buffers code is present in the bundle

Related

• Original substack repository deleted: https://github.com/substack/node-buffers (404)
• License-clean fork: https://www.npmjs.com/package/node-buffers (MIT/X11, by dashevo)