On 2021-04-16 14:26, Adi Roiban wrote:
I don't know how we can prevent these types of security issues. We are a public project with limited resources and are always exposed when we are pulling dependencies from codecov or pypy that we don't fully control.
I guess that what we can do is stop using the codecov.io bash uploaded and switch back to python uploader.
What will this do now? Do you consider the bash uploader a greater future risk than any other thing that codecov, or anyone else, creates?
Any other ideas ?
In a single CI system (rather than using two) we could do the project coverage absolute limit check and patch coverage check (diff-cover) in-build. Maybe there's even a place we could publish the coverage html output? That said, I've never been much for avoiding services and the proposal for not using a codecov package involves adding another package so... And like you said Adi, it seems pretty implausible to audit all code we use in CI. So, I don't know how there's a solution. But, I'm well aware that I'm not a security person. Cheers, -kyle