GitHub Community
Let Dependabot respect commit hashes #29139
Unanswered
guerda
asked this question in
Code Security
Replies: 1 comment
-
|
@guerda I support this idea, but I would also mention that there is something of a conflict with the fact that Dependabot Alerts cannot (yet / currently) determine whether an action is vulnerable unless the version is specified in semver format. I learned that a few moments ago from: https://github.com/orgs/community/discussions/154189 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Dependabot updates dependencies with their version tag, which is mutable.
In order to be more secure, it is recommended to use the commit's hash. Unfortunately, once Dependabot detects an update, it uses the version tag for the updated version instead of the commit's hash.
It would be great if commit hashes are updated with newer commit hashes by Dependabot.
Based on a discussion here with tips from @jkcso : https://twitter.com/derguerda/status/1557454206658912256
Beta Was this translation helpful? Give feedback.
All reactions