Skip to content

Document that updating dependencies is security sensitive #2031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Document that updating dependencies is security sensitive #2031

wants to merge 1 commit into from

Conversation

@madsmtm
Copy link
Contributor

@madsmtm madsmtm commented Oct 22, 2025
edited
Loading

I've been thinking a lot about sandboxing build scripts and proc-macros lately, and it occurred to me that if I were to attack this repo, I'd go the route of adding a ctor to some deeply nested dependency that sends the GITHUB_TOKEN somewhere if it detects it's inside this repo, and then just wait for Dependabot to update the dependency here.

CC @Kobzol, opening this to ensure that this is something you / t-infra is aware of.

@github-actions
Copy link

github-actions bot commented Oct 22, 2025

Dry-run check results 

[WARN  sync_team] sync-team is running in dry mode, no changes will be applied.
[INFO  sync_team] synchronizing github
[INFO  sync_team] 💻 Repo Diffs:
    📝 Editing repo 'rust-analyzer/smol_str':
      Permission Changes:
        Removing user 'alexheretic''s write permission

@jieyouxu jieyouxu added the T-infra Relevant to the infrastructure team. label Oct 22, 2025
@Kobzol
Copy link
Member

Kobzol commented Oct 23, 2025

Good point. We made some mitigations against this, but it's not perfect.

@jieyouxu jieyouxu added needs-infra-admin-review This change requires one of the `infra-admins` to review. S-waiting-on-review Status: waiting on review from a team/WG/PG lead, an infra-admin, and/or a team-repo-admin. labels Nov 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-infra-admin-review This change requires one of the `infra-admins` to review. S-waiting-on-review Status: waiting on review from a team/WG/PG lead, an infra-admin, and/or a team-repo-admin. T-infra Relevant to the infrastructure team.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@madsmtm @Kobzol @jieyouxu