biafra23
commented
3 years ago We have the Version rule update-deps for UnstoppableDomains. What exactly does that mean?
Open biafra23 opened 3 years ago
biafra23
commented
3 years ago We have the Version rule update-deps for UnstoppableDomains. What exactly does that mean?
At the moment wie have several dependencies that would be automatically upgraded at least for minor versions. These are:
If an attacker can upgrade one of these libraries and add malicious code, we might include in our next app release without noticing. I want to propose to pin to exact versions and only upgrade to a new version after having at least a cursory look at the changes in code, that were made.
We're still subject to an attack where an attacker is able to change an already released artifact. When exactly does XCode (or our build server) download these artifacts? Only once, or on every build?