search

pkgjs / wiby

"Will I break you" - a tool for testing dependents
Apache License 2.0
33 stars 7 forks source link

security: rely on `sha` rather than `ref` #140

Closed RedYetiDev closed 2 months ago

RedYetiDev commented 3 months ago

Relying on a PR's sha is more robust than relying on it's ref. The sha is unique to a commit, while the ref is unique to a branch.

ljharb commented 2 months ago

The ref resolves to a sha, so it's identically robust.

RedYetiDev commented 2 months ago

first off, I didn't mean to close this, whoops!

Secondly, the ref resolves the branch name (I.E. main), which is not as robust as an sha which is constant.

ljharb commented 2 months ago

I'm not sure that's valuable here - the sha can be checked after the run.