Hi! I'd like to suggest to enable a dependency update tool in order to keep CI dependencies up to date. It is considered a security best practice to keep dependencies up to date to avoid known vulnerabilities and bugs, but also not being instantly exposed to new versions to avoid being affected by malicious or vulnerable releases. That's why dependabot can help providing a delay and also notifying you about new security or release patches.
I'll be submiting a PR with a configuration for dependabot, but let me know if you rather renovatebot or other tool. Let me know what do you think about it.
Besides, I strongly recommend that you also enable the Dependabot security updates option on Code security and analysis to receive out of schedule upgrades in case of a new security patch is released (avoiding being exposed for much time).
Context
I'm Joyce and I work with Diogo (#72 and #74) on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). Our core job is to suggest and implement security changes on widely used open source projects 😊
Hi! I'd like to suggest to enable a dependency update tool in order to keep CI dependencies up to date. It is considered a security best practice to keep dependencies up to date to avoid known vulnerabilities and bugs, but also not being instantly exposed to new versions to avoid being affected by malicious or vulnerable releases. That's why dependabot can help providing a delay and also notifying you about new security or release patches.
I'll be submiting a PR with a configuration for dependabot, but let me know if you rather renovatebot or other tool. Let me know what do you think about it.
Besides, I strongly recommend that you also enable the Dependabot security updates option on Code security and analysis to receive out of schedule upgrades in case of a new security patch is released (avoiding being exposed for much time).
Context
I'm Joyce and I work with Diogo (#72 and #74) on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). Our core job is to suggest and implement security changes on widely used open source projects 😊