crazy-max
commented
1 year ago @rajbos This is just for dev dependencies which is not critical for this action as build is sandboxed and these deps are not shipped anyway. Also yes Dependabot is already enabled on this repo for production dependencies which is enough to keep distributed artifacts for this action up to date.
Hi folks,
An internal user requested us to on board this action so we ran it through some security checks, like forking it and enabling Dependabot. Dependabot found 52 issues in vulnerable dependencies, of which 6 are critical!
These might not be miss-usable by a caller of the action, but maybe you want to enable Dependabot and have it update those dependencies as well (I see it is in use for updating the Actions that are in use). as a best practice