Suggest an dependabot to keep GitHub Actions updated #225
Comments
|
Feel free to send a PR that pins actions and configures dependabot; we are already doing so for TS itself in microsoft/TypeScript#56211. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi! I'm Diogo and I'm back (see #218) hoping to offer a bit more help with security enhancements.
I'm coming to confirm that tslib has Dependabot enabled for Security Updates (which I suppose it's true based on this dependabot PR), and also to ask if you have interest on a PR configuring dependabot to also make regular version updates on your actions and/or on your dev dependencies.
This would be specially handy in case you hash-pin your sensitive dependencies (as it's being made on this PR), because they become harder to update manually. Using a Dependency-Update-Tool would ease the maintenance of those dependencies and also keep you safer, as hash-pinned dependencies ensure that the code you're running is always the same (e.g., the tag can't be changed to point to a malicious code).
In case you have interest, I'd be happy to raise a PR shortly =)
Thanks
The text was updated successfully, but these errors were encountered: