Wrangling Security Vulnerabilities: Stay fresh with `latest` or safe with version pinning?

In consideration of the challenge that @MarioArriaga92 pointed out in the November 10th, 2022 Meshery Build and Release meeting regarding weighing a decision to use latest tags on dependent container images in various Meshery workflows vs. pinning to specific versions, one of the mechanisms for helping strike a balance is having a standing agenda item in Build and Release meeting - an agenda item for reviewing the count and posture of outstanding security vulnerabilities.

In relation to wrangling security vulnerabilities (issue #4642), the reports from vulnerability scans of Meshery by Artifact Hub could be presented and reviewed in the Build and Release meeting.

1 Like

Oh, no. Did the Artifact Hub stop running vulnerability scans against projects?