Most of the supply chain vulnerabilities I’ve seen published and talked about lately have been trying to do things like exfiltrate keys/secrets from developers, including ci.
So of you’ve got a pr open with the vulnerable package update on it then you’ve goofed. Even potentially without merging if you’ve not got ci set up very securely, which is probably more common than we’d like to admit
deleted by creator
Most of the supply chain vulnerabilities I’ve seen published and talked about lately have been trying to do things like exfiltrate keys/secrets from developers, including ci.
So of you’ve got a pr open with the vulnerable package update on it then you’ve goofed. Even potentially without merging if you’ve not got ci set up very securely, which is probably more common than we’d like to admit
That’s not a good idea