Joyce

@Jamstah, If you prefer I can also run it and post it here, just let me know if this is better for you

Here is the scorecards simple run to the distribution repo OBS: The Pinned Dependencies and Packaging checks didn't work properly due to an error in the dockerfiles/vendor.Dockerfile:1:1 that I will...

Yeah, there very easy wins security practices, and if you want help on doing that I can work on that too on related issues like the one you've mentioned. But...

The one I've mentioned ([GHSA-w573-4hg7-7wgq](https://osv.dev/vulnerability/GHSA-w573-4hg7-7wgq)) is a dependency of the "decision-tree-generator" tool. But for each one I solve I will try explain in the PR how the vulnerable dependency would...

Hi @kwonoj I've explored more the finding vulnerabilities (I've started with the package.json and package-lock.json on the root folder) by starting with handling the vulnerabilities reported by npm audit: The...

Ah thanks for bringing that up. I was struggling too to be able to correctly bumping the right versions since there are lots of vulnerabilities found in indirect dependencies 😓...

Hi! I'm writing to follow up on your review in this pull request. I noticed that you haven't left any feedback yet. I'm happy to answer any questions you have...

I really liked this idea of "punishing but not much" because it would also differ the case of a "safe workflow unpinned" from a "potentially dangerous workflow unpinned". Good idea...

Hi Daniel, thanks for reaching out, About the score, actually 6.7 is a great score! In comparation with the overall open source comunity, the jenkins project with a score of...

Yeah, you are right, Scorecard now is really limited to mostly Github solutions and it is not very fair with projects with that have solved this security issues or concerns...