diogoteles08
commented
1 year ago Hey! This issue/PR has been idle for quite some time. Do you plan on considering this suggestion?
For your specific case, hash-pinning your dependencies on build.yml should be valuable because it's responsible for uploading your wheels to the releases, right? So any malicious or broken changes on the unpinned dependencies on that workflows could endanger possible users that consumes those wheels.
In case you don't show interest on these changes, we'll probably wait up to 2 more months and close the issue.
Thanks!
github-actions[bot]
Description
Hi again, I would like to suggest another security practice recommended by the OpenSSF Scorecard, and the GitHub itself, which is to hash pin the CI dependencies to prevent dependency-confusion, typosquatting and tag renaming attacks.
This means:
Along with hash-pinning dependencies, I also recommend adopting dependabot or renovatebot to help keep the dependencies up to date. Both tools can update hashes and associated semantic version comments.
Let me know if you are open to evaluate those changes and I'll submit the PR ASAP.
Any questions or concerns just let me know. Thanks!
Additional Context
Regarding Github Actions: A tag renaming attack is a type of attack whereby an attacker:
Regarding package managers (such as pip): A dependency-confusion attack occurs when an attacker:
A typosquatting attack is a type of attack whereby an attacker:
For more informations about the dependency-update tools: