@kreynen Worth noting that even the 2.x beta documentation recommends avoiding patches autogenerated by PR/MR URLs.
> "The contents of these patches can change by pushing more commits to a pull request or merge request. A malicious user could abuse this behavior to cause you to deploy code that you didn’t mean to deploy."
The recommendation is to download a patch & apply it locally, but I'm guessing we'll see devs continue to add patches in queues & include those URLs
@kreynen I completely agree, and as the post states, using the GitLab provided patch in a composer.json without downloading it and referencing it from a local directory is also a security risk. Although, I'm curious how this recommendation will change once GitLab allows .patch to be appended to any compare URL.
bpekker.dev
Hot