https://safedep.io/tanstack-github-actions-cache-poisoning/
To not be vulnerable to fork attacks like above, can consider pinning GH actions to full commit SHAs instead of version tags. For example, this release workflow uses version tags and can also publish to npm. One example is to possibly consider changing something like uses uses: pnpm/action-setup@v6.0.5 to uses: pnpm/action-setup@<full_commit_sha> #v6.0.5
Additionally, can also add a config file in root to including the settings mentioned here: https://gajus.com/blog/3-pnpm-settings-to-protect-yourself-from-supply-chain-attacks
https://safedep.io/tanstack-github-actions-cache-poisoning/
To not be vulnerable to fork attacks like above, can consider pinning GH actions to full commit SHAs instead of version tags. For example, this release workflow uses version tags and can also publish to npm. One example is to possibly consider changing something like uses
uses: pnpm/action-setup@v6.0.5touses: pnpm/action-setup@<full_commit_sha> #v6.0.5Additionally, can also add a config file in root to including the settings mentioned here: https://gajus.com/blog/3-pnpm-settings-to-protect-yourself-from-supply-chain-attacks