msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard
verified publisher icon microsoftgraph

Create dependabot.yml

Open MIchaelMainer opened this issue 3 years ago • 4 comments

Part of component governance review

MIchaelMainer avatar Jan 06 '22 03:01 MIchaelMainer

Thanks for surfacing this! To avoid PowerShell assembly dependency conflicts, we will need to investigate how this can be safely used with our assembly resolver.

peombwa avatar Jan 06 '22 18:01 peombwa

Interesting. As it is currently, the automated use of dependabot would then trigger manual changes to the PowerShell Assembly Load Context every time a dependency is out of date, correct?

We can also consider using Component Governance task in AzDO.

MIchaelMainer avatar Jan 06 '22 19:01 MIchaelMainer

That's right! It looks like we will need a post dependabot script to ensure dependencies are also updated in the PowerShell Assembly Load Context. I can look into this.

peombwa avatar Jan 06 '22 19:01 peombwa

Required reading for this work item.

https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/ https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

MIchaelMainer avatar Feb 23 '22 04:02 MIchaelMainer