rorynickolls-skyral
commented
4 days ago This issue is related https://github.com/openfga/helm-charts/issues/132 -- I haven't had time to look at picking it up.
I'm concerned about the use of groundnuty/k8s-wait-for here as it has not received updates in years and any issues relating to security fixes on the upstream repository are not receiving attention.
We have had to patch our own version of the image to continue using the chart.
Source tags can be overwritten in case of a supply chain attack and a compromised image may be pulled down.
The risk is greater in the case of external, third party dependencies not under the projects control.