Hi, our project utilizes a lot of dash plotly packages (really appreciate all your work!), and would like to leverage dash-ag-grid for some new functionalities under design/development.
However, we are concerned about the security setup of this repository, and the risk of future bad changes making into the package.
We used the tool https://github.com/ossf/scorecard to help us assess the repository security.
Some of the major concerning areas are:
- branch protection - the 'main' branch is not under any branch protection rule that governs write access and how changes make into releases. The recommendation is https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.
- token permission -
Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:13
Warn: no topLevel permission defined: .github/workflows/python-test.yml:1
Warn: no topLevel permission defined: .github/workflows/release.yml:1
Which can be easily mitigated, see https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions.
Can you let me know if those security configurations can be updated soon? As it is, we would like to use the dash-ag-grid but cannot due to the security concerns (given the rise of software pipeline attacks).
Hi, our project utilizes a lot of dash plotly packages (really appreciate all your work!), and would like to leverage dash-ag-grid for some new functionalities under design/development.
However, we are concerned about the security setup of this repository, and the risk of future bad changes making into the package.
We used the tool https://github.com/ossf/scorecard to help us assess the repository security.
Some of the major concerning areas are:
Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:13
Warn: no topLevel permission defined: .github/workflows/python-test.yml:1
Warn: no topLevel permission defined: .github/workflows/release.yml:1
Which can be easily mitigated, see https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions.
Can you let me know if those security configurations can be updated soon? As it is, we would like to use the dash-ag-grid but cannot due to the security concerns (given the rise of software pipeline attacks).