feat: Cross-check updates to dependency metadata #35580
nikclayton
started this conversation in
Suggest an Idea
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Tell us more.
Renovate can regenerate dependency metadata when a dependency changes (thanks for that feature, very helpful).
E.g., https://docs.renovatebot.com/modules/manager/gradle/#dependency-verification
However, this doesn't (and can't) tell the user if upstream dependency has been compromised.
What it could do -- similarly to the report that shows the adoption/passing/confidence info -- is show how many other updates of the same dependency have the same metadata.
E.g., if there are a 1,000 users of dependency X, and the first 990 updates of X to version N+1 have the same metadata (checksum, key), and then the next 10 have different metadata but the same version N+1 then that's an indication of possible compromise, and should be flagged on all 1,000 PRs.
Beta Was this translation helpful? Give feedback.
All reactions