Eladb

**Name of the Vulnerable Software and Affected Versions** projen versions prior to 0.16.41 projen versions prior to 0.17.0 **Description** The `projen` tool synthesizes project configuration files from a well-typed definition written in JavaScript. Users of `projen`'s `NodeProject` project type include a `.github/workflows/rebuild-bot.yml` workflow that may allow any GitHub user to trigger execution of un-trusted code in the context of the "main" repository. This workflow is triggered by comments including `@projen rebuild` on pull-request and executes with a `GITHUB TOKEN` belonging to the repository into which the pull-request is made. Repositories without branch protection configured on their default branch could allow an untrusted user to gain access to secrets configured on the repository. **Recommendations** For versions prior to 0.16.41, upgrade `projen` to version 0.16.41 or later to mitigate the issue. For versions prior to 0.17.0, upgrade `projen` to version 0.17.0 or later to completely remove the `rebuild-bot.yml` workflow. As a temporary workaround, consider removing the `.github/workflows/rebuild-bot.yml` file and adding it to the `.gitignore` file (via `projenrc.js`) to mitigate the issue.