[pengaru]

This third party app gets write access to your repository, so it can do automated reviews of PRs?

Why would you even grant it such permissions? this is ridiculous.

[kmarc]

Besides that this was clearly a security f*ckup, in my mind it's almost equivalent to running those third party liters in our Internet-connection-enabled editors and IDEs. Other than one banking project, I don't think I ever had to sandbox my editor in any way.

Scary.