Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Asks for updates to this package's repository security. #337

Open
amaranthjinn opened this issue Oct 27, 2024 · 3 comments
Open

Asks for updates to this package's repository security. #337

amaranthjinn opened this issue Oct 27, 2024 · 3 comments
Assignees
Labels
community community contribution feature something new P2 considered for next cycle

Comments

@amaranthjinn
Copy link

Hi, our project utilizes a lot of dash plotly packages (really appreciate all your work!), and would like to leverage dash-ag-grid for some new functionalities under design/development.
However, we are concerned about the security setup of this repository, and the risk of future bad changes making into the package.
We used the tool https://github.com/ossf/scorecard to help us assess the repository security.
Some of the major concerning areas are:

  1. branch protection - the 'main' branch is not under any branch protection rule that governs write access and how changes make into releases. The recommendation is https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.
  2. token permission -
    Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:13
    Warn: no topLevel permission defined: .github/workflows/python-test.yml:1
    Warn: no topLevel permission defined: .github/workflows/release.yml:1
    Which can be easily mitigated, see https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions.

Can you let me know if those security configurations can be updated soon? As it is, we would like to use the dash-ag-grid but cannot due to the security concerns (given the rise of software pipeline attacks).

@gvwilson gvwilson self-assigned this Oct 28, 2024
@gvwilson gvwilson added feature something new community community contribution P2 considered for next cycle labels Oct 28, 2024
@gvwilson
Copy link
Contributor

Thanks for your comment - I've added it to the pile to discuss once we get the Plotly 3.0 release out the door (which should be in the next couple of weeks).

@amaranthjinn
Copy link
Author

Thank you! Looking forward to the good news, keep me updated :)

@amaranthjinn
Copy link
Author

Hi, is there some update for this repo security request? We have some project decision pending, would really love to be able to move forward with this security concern resolved. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
community community contribution feature something new P2 considered for next cycle
Projects
None yet
Development

No branches or pull requests

2 participants