A useful reminder from the last few days, I think: security tooling is part of the attack surface - maybe that aren't news.
But: If scanners, GitHub Actions or container images get compromised, this is not just a supply chain problem on paper. It hits the exact layer we **usually** trust to keep the rest safe.
Feels like a good time to ask: where are we still too loose on pinning, still trusting `latest`, or still assuming third-party actions are probably fine?
I think we need to find the right balance between `latest` and waiting days or even weeks to update a component (especially if it's an security patch).
#axios #trivy #supplychain #supplychainsecurity #cybersecurity #security