Comment by reneberlin
7 hours ago
I get the point, it shouldn't be like that at all. But you can use a runner that you run on your behalf in a cloud instead and create your runner with minimum packages. At least for as long as the situation stays like this.
It's the first time i became clear how big the problem really is - only looking at the vulns at https://osv.dev/ (thanks for sharing - i didn't know that one).
I was aware of the vuln and lately wormed mess in npm, but i was sure everything else is mitigated much better - and runners, i of course thought are cared for a lot more. Yes, i am looking at you GH.
Thanks for your thoughts!
Yeah, that is exactly what we thought, so we are migrating our runner to our own infra.