Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> the issue here is specifically with `pull_request_target`

I just went to github to search for references to that trigger-type, and I admit I was surprised at the sheer number of times it is visible in a code-search.

It seems like a common-pattern, sadly.



Yes, it’s shockingly common. I’m of the opinion that GitHub should remove it entirely, since only a tiny majority of uses of it are demonstrably safe.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: