The ๐ death ๐ of ๐ github ๐ will ๐ never ๐ be ๐ the ๐ death ๐ of ๐ open ๐ source
this post was submitted on 17 May 2026
1 points (100.0% liked)
Security
2084 readers
2 users here now
A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.
Rules :
- All instance-wide rules apply.
- Keep it totally legal.
- Remember the human, be civil.
- Be helpful, don't be rude.
Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient
founded 2 years ago
MODERATORS
The solution is simple: stop using Github actions.
Running actions on your own machine doesn't solve cache poisoning or supply chain attacks, your VM will download compromised npm package or github actions the same way GH runner does.
Version pinning/script disabling makes a compromise slightly less likely, rolling your own package server helps a lot (but who got time to maintain version whitelist).
Honestly the best solution is to have minimum amount of dependencies. You don't need a GH action to ping indexers or generic foreign key library for your backed, hammer one yourself.
That and scope all your keys so the leak won't be as devastating ๐คทโโ๏ธ
Honestly the best solution is to have minimum amount of dependencies.
Isn't this a sane practice in programming anyway? Just don't go overboard with dependency minimalism.
Yes but the reality of JavaScript codebases is that you'll typically import hundreds if not thousands of dependencies fairly quickly. Last time I looked at the UI codebase at my job it was sitting at over 40k.
That's one of the reasons) why JS development is the shitshow it is.