Security Update: Additional gitStream Hardening

As a follow-up to the mitigation steps already communicated, we have deployed an additional hardening update for the gitStream GitHub Action. This update adds cache-cleaning enforcement as part of our ongoing efforts.

Customer Action

If you already updated to the previously recommended version and followed the best practices, no mandatory further action is required. However, it is always recommended to use the latest version. Please ensure your workflow is using:

• uses: linear-b/gitstream-github-action@v2

or

• uses: linear-b/gitstream-github-action@2.0.230

Action release notes are available at https://github.com/linear-b/gitstream-github-action/releases/tag/2.0.230

We are continuing our investigations as part of our remediation work.

For questions, contact security@linearb.io.

Security Update: gitStream GitHub Action

A third-party npm supply chain event involving the axios package occurred on March 31, 2026. This is not an active LinearB vulnerability. This update is relevant only if you received a specific alert email from GitHub regarding affected workflow runs.

Scope

• Applies only to gitStream via GitHub Actions
• gitStream managed mode was not impacted
• Does not apply to:
  • gitStream managed on GitHub.
  • gitStream on Gitlab.
  • gitStream on Bitbucket.

LinearB Response

• LinearB investigated and confirmed no impact to our production environment
• We deployed a hardening update with pinned dependencies

Recommended Customer Actions

• If you received a GitHub alert, we recommend reviewing any secrets available to the affected workflow runs, rotating them if needed, and checking audit logs for unexpected activity.
• If you use gitStream via GitHub Actions, please ensure you are using one of the following:
  • uses: linear-b/gitstream-github-action@v2
  • or the pinned version: uses: linear-b/gitstream-github-action@2.0.229

For questions, contact security@linearb.io.