|
|
|
|
|
|
by barrkel
194 days ago
|
|
|
You specifying the top level hash doesn't do anything to pin transitive dependencies, and as the article points out, transitive dependencies - especially dependencies common to a lot of actions - would be the juciest target for a supply chain attack. |
|
|