-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pinning-by-hash upgrade #3699
Comments
I'd dig it! There's a potentially inspirational implementation in https://github.com/thepwagner/action-update-docker , specifically thepwagner/action-update-docker#59. There, configuration looks like: One idea for scope creep: in addition to maintaining the image as a pinned hash, I liked keeping the readable tag in a nearby comment: e.g. One question: what should this feature do if it encounters a mutable tag (e.g. |
thanks for the link!
good idea. For docker specifically, we could use
Good question. Using a mutable tag means the image may change very often, so sending a PR on each change may be cumbersome for maintainers. On the other hand, this is high-risk. To keep things simple, I suppose we could ignore this case for now, as it seems to be the intention of the developer to not pin the image. That's insecure, but maybe this is something another tool could warn about, e.g. scorecard wdut? |
I, too, would like to see this feature. Has there been any further thought / progress here? I'd try to contribute something, but I do not know Ruby, and have spent a few hours already struggling to get this project opened in VSCode inside dev container. :( |
I think https://docs.renovatebot.com/configuration-options/#pindigests works exactly like this. |
👋 This issue has been marked as stale because it has been open for 2 years with no activity. You can comment on the issue to hold stalebot off for a while, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details. |
I believe that this feature request is still relevant and this should remain open. |
Dependabot supports a versioning strategy.
Some developers may want to pin by hash. It's useful to further mitigate against compromised packages. Although this is already supported by dependabot, dependabot does not allow upgrading from version pinning to hash pinning. This makes it very time-consuming for developers to upgrade. For example, if a current dockerfile contains
FROM [email protected]
and maintainers want to upgrade all such occurrences toFROM [email protected]:hash
, there's no easy way to tell dependabot to do that, AFAIK.Having an option to do that would be amazing. It could possibly live under the
versioning-strategy
.Is this something you'd be interested in adding, or accept PRs?
Thanks!
The text was updated successfully, but these errors were encountered: