Security: How this user is able to review this PR?
crazy-max opened this issue · comments
Don't know if it's flaw with GitHub itself or the way Dependabot creates PR to update dependencies but the user @sadikkuzu
has been able to approve this PR without access rights to the repository:
I also also noticed he approves a lot of them in other repositories within few minutes:
Ok after digging, it can be done in the Files changed
tab. For example with this PR without being a contributor or requested:
@crazy-max yeah I think that's expected behaviour for public repos but looks like the approved review check is greyed out due the user not having write access to the repo.
@feelepxyz Yes that's it. I think it would be nice if GitHub could allow a limitation or at least postpone abuse.
@crazy-max yes the user has been reported a few times already, will look into it.