|
|
|
|
|
|
by reneberlin
245 days ago
|
|
|
I get the point, it shouldn't be like that at all.
But you can use a runner that you run on your behalf in a cloud instead and create your runner with minimum packages. At least for as long as the situation stays like this. It's the first time i became clear how big the problem really is - only looking at the vulns at https://osv.dev/ (thanks for sharing - i didn't know that one). I was aware of the vuln and lately wormed mess in npm, but i was sure everything else is mitigated much better - and runners, i of course thought are cared for a lot more. Yes, i am looking at you GH. |
|
|
Yeah, that is exactly what we thought, so we are migrating our runner to our own infra.