You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, our project utilizes a lot of dash plotly packages (really appreciate all your work!), and would like to leverage dash-ag-grid for some new functionalities under design/development.
However, we are concerned about the security setup of this repository, and the risk of future bad changes making into the package.
We used the tool https://github.com/ossf/scorecard to help us assess the repository security.
Some of the major concerning areas are:
token permission -
Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:13
Warn: no topLevel permission defined: .github/workflows/python-test.yml:1
Warn: no topLevel permission defined: .github/workflows/release.yml:1
Which can be easily mitigated, see https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions.
Can you let me know if those security configurations can be updated soon? As it is, we would like to use the dash-ag-grid but cannot due to the security concerns (given the rise of software pipeline attacks).
The text was updated successfully, but these errors were encountered:
Thanks for your comment - I've added it to the pile to discuss once we get the Plotly 3.0 release out the door (which should be in the next couple of weeks).
Hi, is there some update for this repo security request? We have some project decision pending, would really love to be able to move forward with this security concern resolved. Thank you!
Hi, our project utilizes a lot of dash plotly packages (really appreciate all your work!), and would like to leverage dash-ag-grid for some new functionalities under design/development.
However, we are concerned about the security setup of this repository, and the risk of future bad changes making into the package.
We used the tool https://github.com/ossf/scorecard to help us assess the repository security.
Some of the major concerning areas are:
Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:13
Warn: no topLevel permission defined: .github/workflows/python-test.yml:1
Warn: no topLevel permission defined: .github/workflows/release.yml:1
Which can be easily mitigated, see https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions.
Can you let me know if those security configurations can be updated soon? As it is, we would like to use the dash-ag-grid but cannot due to the security concerns (given the rise of software pipeline attacks).
The text was updated successfully, but these errors were encountered: