You must log in or register to comment.
Every run re-resolves from your workflow file, and the results can change without any modification to your code.
Sounds expensive too.
Ahhh, I get it now.
R has the same problems as far as I’m aware, though it doesn’t form the core of a lot of modern CI of course!
R (largely and by default) relies on CRAN, and they are extremely selective about what packages they accept, including testing new package versions against downstream packages before publishing an update, etc. That largely mitigates many of the concerns of some random 10 layer deep dependency getting swapped for something malicious.
