Hello there 👋,
Today in the Node.js security meeting we discussed that the undici project score had dropped due to a change in the workflows. This seems to be related to the following commit.
Full report here
- nightly.yml and test.yml seems to lack global permissions
permissions:
contents: read
- In nodejs.yml we have warnings to reviews the following permission.
|
permissions: |
|
contents: write |
|
pull-requests: write |
|
actions: write |
Github Action Merge Dependabot require pull-requests and contents (not sure if actions is required). These warnings are perhaps to be ignored.
@nodejs/security-wg
Hello there 👋,
Today in the Node.js security meeting we discussed that the undici project score had dropped due to a change in the workflows. This seems to be related to the following commit.
Full report here
undici/.github/workflows/nodejs.yml
Lines 102 to 105 in d3d24e2
Github Action Merge Dependabot require
pull-requestsandcontents(not sure ifactionsis required). These warnings are perhaps to be ignored.@nodejs/security-wg