Bryanmacfarlane

**Name of the Vulnerable Software and Affected Versions** @actions/http-client versions prior to 1.0.8 **Description** The issue can disclose Authorization headers to incorrect domains in certain redirect scenarios. This occurs when consumers of the http-client make an HTTP request with an authorization header, the request leads to a redirect (302), and the redirect URL redirects to another domain or hostname. As a result, the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8. **Recommendations** For versions prior to 1.0.8, update to version 1.0.8, where the authorization header is stripped before making the redirected request if the hostname is different.