New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pinning-by-hash upgrade #3699
Comments
I'd dig it! There's a potentially inspirational implementation in https://github.com/thepwagner/action-update-docker , specifically thepwagner/action-update-docker#59. There, configuration looks like: One idea for scope creep: in addition to maintaining the image as a pinned hash, I liked keeping the readable tag in a nearby comment: e.g. One question: what should this feature do if it encounters a mutable tag (e.g. |
thanks for the link!
good idea. For docker specifically, we could use
Good question. Using a mutable tag means the image may change very often, so sending a PR on each change may be cumbersome for maintainers. On the other hand, this is high-risk. To keep things simple, I suppose we could ignore this case for now, as it seems to be the intention of the developer to not pin the image. That's insecure, but maybe this is something another tool could warn about, e.g. scorecard wdut? |
I, too, would like to see this feature. Has there been any further thought / progress here? I'd try to contribute something, but I do not know Ruby, and have spent a few hours already struggling to get this project opened in VSCode inside dev container. :( |
I think https://docs.renovatebot.com/configuration-options/#pindigests works exactly like this. |
Dependabot supports a versioning strategy.
Some developers may want to pin by hash. It's useful to further mitigate against compromised packages. Although this is already supported by dependabot, dependabot does not allow upgrading from version pinning to hash pinning. This makes it very time-consuming for developers to upgrade. For example, if a current dockerfile contains
FROM pkgname@v1.2.3
and maintainers want to upgrade all such occurrences toFROM pkgname@v1.2.3:hash
, there's no easy way to tell dependabot to do that, AFAIK.Having an option to do that would be amazing. It could possibly live under the
versioning-strategy
.Is this something you'd be interested in adding, or accept PRs?
Thanks!
The text was updated successfully, but these errors were encountered: