alt Hacker NewsI have seen small utility libraries like tj-actions get compromised because there aren't any security specialists looking at the library.
My main concern is supply chain compromise.
I have seen small utility libraries like tj-actions get compromised because there aren't any security specialists looking at the library.
My main concern is supply chain compromise.
Unless you're talking about a different event, tj-actions wasn't "compromised because there aren't any security specialists looking at the library". Instead, an API key was used, maybe by the author, maybe by someone else, to replace good code with bad code, including modifying historical release tags to point to the bad code.
That said, everything in my previous post still applies: a nonzero buglist is totally normal and widely accepted.