dash-ag-grid icon indicating copy to clipboard operation
dash-ag-grid copied to clipboard

Published 20 hours ago verified publisher icon plotly

Asks for updates to this package's repository security.

Open amaranthjinn opened this issue 1 year ago • 6 comments

Hi, our project utilizes a lot of dash plotly packages (really appreciate all your work!), and would like to leverage dash-ag-grid for some new functionalities under design/development. However, we are concerned about the security setup of this repository, and the risk of future bad changes making into the package. We used the tool https://github.com/ossf/scorecard to help us assess the repository security. Some of the major concerning areas are:

  1. branch protection - the 'main' branch is not under any branch protection rule that governs write access and how changes make into releases. The recommendation is https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.
  2. token permission - Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:13 Warn: no topLevel permission defined: .github/workflows/python-test.yml:1 Warn: no topLevel permission defined: .github/workflows/release.yml:1 Which can be easily mitigated, see https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions.

Can you let me know if those security configurations can be updated soon? As it is, we would like to use the dash-ag-grid but cannot due to the security concerns (given the rise of software pipeline attacks).

amaranthjinn avatar Oct 27 '24 20:10 amaranthjinn

Thanks for your comment - I've added it to the pile to discuss once we get the Plotly 3.0 release out the door (which should be in the next couple of weeks).

gvwilson avatar Oct 28 '24 19:10 gvwilson

Thank you! Looking forward to the good news, keep me updated :)

amaranthjinn avatar Nov 05 '24 23:11 amaranthjinn

Hi, is there some update for this repo security request? We have some project decision pending, would really love to be able to move forward with this security concern resolved. Thank you!

amaranthjinn avatar Nov 25 '24 18:11 amaranthjinn

set up branch protection rule for main, requiring PR + approval/review Image

t1nfoil avatar Nov 27 '24 16:11 t1nfoil

@amaranthjinn please check that we've protected the master branch as you want and that the changes in #344 will satisfy your requirements - thank you.

gvwilson avatar Nov 28 '24 18:11 gvwilson

The score has improved to 6.6 from 5.1. For break-down:

  • branch protection is at 5/10 Warn: codeowners review is required - but no codeowners file found in repo Warn: 'last push approval' is disable on branch 'main' Warn: no status checks found to merge onto branch 'main'.

  • signed release is 0/10

  • token permission 9/10 Warn: jobLevel 'contents' tokens with excessive permission set to 'write': permissions .github/workflows/build.yml:17
    Warn: no topLevel permission defined: .github/workflows/build.yml:1 Warn: no topLevel permission defined: .github/workflows/publish-to-pypi.yml:1

  • dependency update tool is 0/10

Can we make improvement on some of the above areas so the overall score can be above 7.5?

amaranthjinn avatar Dec 05 '24 20:12 amaranthjinn