Open
Description
Overview
The security audit suggests (as a part of LOW risk problem):
GitHub Actions sourced from third-party repositories are not pinned to specific commit hashes, increasing the risk of
threats in case a bad actor manages to add a backdoor to the action's repository.
At the same time the library uses many prod/dev dependencies with not-strictly pinned versions (as it's a library that needs to be flexible) that poses the same level of risk.
Generally speaking, the project in-general (other libraries) doesn't use pinned Github Actions so if decided it needs to be applied in complex
Metadata
Metadata
Assignees
Labels
No labels