-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Asks for updates to this package's repository security. #337
Comments
Thanks for your comment - I've added it to the pile to discuss once we get the Plotly 3.0 release out the door (which should be in the next couple of weeks). |
Thank you! Looking forward to the good news, keep me updated :) |
Hi, is there some update for this repo security request? We have some project decision pending, would really love to be able to move forward with this security concern resolved. Thank you! |
@amaranthjinn please check that we've protected the master branch as you want and that the changes in #344 will satisfy your requirements - thank you. |
updated release.yml + python-test.yml to include more scoped permissions as per issue #337
The score has improved to 6.6 from 5.1. For break-down:
Can we make improvement on some of the above areas so the overall score can be above 7.5? |
Hi, our project utilizes a lot of dash plotly packages (really appreciate all your work!), and would like to leverage dash-ag-grid for some new functionalities under design/development.
However, we are concerned about the security setup of this repository, and the risk of future bad changes making into the package.
We used the tool https://github.com/ossf/scorecard to help us assess the repository security.
Some of the major concerning areas are:
Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:13
Warn: no topLevel permission defined: .github/workflows/python-test.yml:1
Warn: no topLevel permission defined: .github/workflows/release.yml:1
Which can be easily mitigated, see https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions.
Can you let me know if those security configurations can be updated soon? As it is, we would like to use the dash-ag-grid but cannot due to the security concerns (given the rise of software pipeline attacks).
The text was updated successfully, but these errors were encountered: