Comment by dec0dedab0de

what if you pin it to a version that is compromised for years before finding out?

Allowing it to be updated can also fix security problems.

It’s basically all the same arguments as static vs dynamic linking.

Plus, I believe I saw that the one action was getting the latest version of trivy anyway.