https://bz.apache.org/bugzilla/show_bug.cgi?id=66658
--- Comment #2 from Diogo Sant Anna <diogote...@google.com> --- Hi Mark, thanks for the thoughtful reply! I understand your concerns and they are all valid. It really doesn't make much sense to hash-pin dependencies if you don't use any dependency automate tool, and Dependabot can indeed become noisy. That said, feel free to close this until you have another reason to reconsider using a dependency tool Additionally, I'll drop some comments that might be valuable if/when you end up reconsidering this Bug: - If you have experienced Dependabot and considered it noisy, I'd recommend that you try Renovate bot (https://github.com/apps/renovate), which is known to be a less noisy solution, but have basically the same features. - In case you start using actions with write permissions, with access to secrets or to build critical artifacts, don't forget to also hash-pin the github owned actions. I know it might sound weird given you use the whole infrastructure fron github, but note that their actions are stored and managed very differently then their infrastructure. In their docs, they explicitly that there is risks of using tags even if you trust the author (https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
