Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a quick question for when reviewing dependency updates from the dependabot :
When checking a package update from dependabot :
checksum
is correct ? to make sure that we are using the correct dependency and not a malicious one. I tried different things like :I checked in the npm registry > under
versions
>1.15.2
>dist
>shasum
but the hash looks different than the one shown here
I also downloaded the tar file of follow-redirects and then tried to check the hash with the corresponding command or generate it with different algorithms (256, 512, etc) but still it looks different.
Based on this article
So maybe there is no point of checking it if this hash is generated by
yarn
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So PR's such as this are not things that need to be overly reviewed. Just reading either the commits, or changelog if its there by dependabot is enough. Dependabot leverages the Github security advisory, so there is no need checking the checksum, etc. It would just be doing the work the Dependabot and Github do for us already.