You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From what I've seen, everyone only pins revisions when using pre-commit hooks.
Even though usually these hooks are run in a separate workflow, malicious code can also be run in a developer's environment without any changes to our source code (someone can push the malicious code to hook using the same revision).
To overcome this, we can pin hooks using commit hash like this: rev: ce40a160603ab0e7d9c627ae33d7ef3906e2d2b2 # frozen: v3.19.1.
The best part is that this can be done automatically: running pre-commit autoupdate --freeze does it for you. This will also update the pre-commit hooks versions, but usually that's a good thing.
Uh oh!
There was an error while loading. Please reload this page.
From what I've seen, everyone only pins revisions when using pre-commit hooks.
Even though usually these hooks are run in a separate workflow, malicious code can also be run in a developer's environment without any changes to our source code (someone can push the malicious code to hook using the same revision).
To overcome this, we can pin hooks using commit hash like this:
rev: ce40a160603ab0e7d9c627ae33d7ef3906e2d2b2 # frozen: v3.19.1.The best part is that this can be done automatically: running
pre-commit autoupdate --freezedoes it for you. This will also update the pre-commit hooks versions, but usually that's a good thing.I made an example in
jupyter/docker-stacksrepo: jupyter/docker-stacks#2289The text was updated successfully, but these errors were encountered: