We do address this in the article! It's defense in depth, not theater.
We audit all of our actions, check if they pull in mutable dependencies, contribute upstream fixes, and migrate off using any action when we can.
(I work at Astral)
We do address this in the article! It's defense in depth, not theater.
We audit all of our actions, check if they pull in mutable dependencies, contribute upstream fixes, and migrate off using any action when we can.
(I work at Astral)
Do you fork them and have a team maintaining forks ?
If not you cant be sure of anything. Its just a security theater.