[caladin]

From a very cursory skim, I get the feeling that this would only work on public repositories where pull requests are allowed, correct?

Not to minimize the issue, as that type of situation is likely the norm on GitHub.

Another way of phrasing what I mean: private repositories are unlikely to be affected by this correct? Since the spoofer would have no way to propose the threatening pull request, only the real dependabot would have permission to do that in that case.

[capableweb]

Well, it works to every repository the user who is doing the spoofing has access to, private or public. If the user has access to your private repository via the GitHub ACL, they'll be able to create a PR to it with their spoofed profile.

But yes, if you have a private repository only you and dependabot has access to, no user would be able to perform this spoof against your repository.

[hedora]

This is probably the intended behavior of github, but correctly maintaining that invariant is exactly the sort of functionality middle management and project managers tend to deprioritize.

“How could they get the repo uuid without access, and even if they had it, the worst they could do is create an issue or PR that they can’t even read.”