jakebailey
commented
9 months ago Feel free to send a PR that pins actions and configures dependabot; we are already doing so for TS itself in https://github.com/microsoft/TypeScript/pull/56211.
Closed diogoteles08 closed 8 months ago
jakebailey
commented
9 months ago Feel free to send a PR that pins actions and configures dependabot; we are already doing so for TS itself in https://github.com/microsoft/TypeScript/pull/56211.
Hi! I'm Diogo and I'm back (see #218) hoping to offer a bit more help with security enhancements.
I'm coming to confirm that tslib has Dependabot enabled for Security Updates (which I suppose it's true based on this dependabot PR), and also to ask if you have interest on a PR configuring dependabot to also make regular version updates on your actions and/or on your dev dependencies.
This would be specially handy in case you hash-pin your sensitive dependencies (as it's being made on this PR), because they become harder to update manually. Using a Dependency-Update-Tool would ease the maintenance of those dependencies and also keep you safer, as hash-pinned dependencies ensure that the code you're running is always the same (e.g., the tag can't be changed to point to a malicious code).
In case you have interest, I'd be happy to raise a PR shortly =)
Thanks