Currently, .pre-commit-config.yaml uses git tags rather than hashes for a number of hooks. These are vulnerable to the same type of "mutable git ref" attacks that unpinned github actions are. We've already seen attempts to exploit this in the wild on the Jupyter project.
Let's update these with a pre-commit autoupdate --freeze to pin these.
Currently,
.pre-commit-config.yamluses git tags rather than hashes for a number of hooks. These are vulnerable to the same type of "mutable git ref" attacks that unpinned github actions are. We've already seen attempts to exploit this in the wild on the Jupyter project.Let's update these with a
pre-commit autoupdate --freezeto pin these.