fix(security): Add semantic-release to dev dependencies #207
Conversation
Installing it during the actions run makes supply chain attacks by a possibly compromised semantic-release package easier. Pinning the version through the lockfile prevents this.
|
👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labled with |
Co-authored-by: Gareth Jones <Jones258@Gmail.com>
There was a problem hiding this comment.
you can pin the version with when calling with npx instead, I think @travi added a renovate strategy to update
We are also very careful and put a lot of safety mechanisms into @semantic-release to prevent supply chain attacks.
And lastly, we don't have any CI checks for semantic release. In the end we will get updates for semantic release and merge them in anyway without much review. I don't think it's worth it.
|
Currently, semantic-release is using older versions of Octokit, which conflicts with the newer versions of Octokit which require the newer versions that are ESM. Installing it on the fly with npx and removing it from the dev dependencies unblocked release workflows |
Installing it during the actions run makes supply chain attacks by a possibly compromised semantic-release package easier. Pinning the version through the lockfile prevents this.
In addition, this prevents breaking changes in semantic-release breaking the build.