You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The above PR pins dependencies for github actions, python dependencies, and potentially Dockerfiles
Whilst this ensures builds are reproducible, and reduces the likelihood of malicious code injection, it also means automatic in-version updates of dependencies (like 3.1.1 -> 3.1.2 for example) would not be picked up.
Tools such as dependabot can scan dependencies and make recommendations through PRs. These can be per-dependency, or aggregated.
The text was updated successfully, but these errors were encountered:
Followon from #1708
The above PR pins dependencies for github actions, python dependencies, and potentially Dockerfiles
Whilst this ensures builds are reproducible, and reduces the likelihood of malicious code injection, it also means automatic in-version updates of dependencies (like 3.1.1 -> 3.1.2 for example) would not be picked up.
Tools such as dependabot can scan dependencies and make recommendations through PRs. These can be per-dependency, or aggregated.
The text was updated successfully, but these errors were encountered: