I disagree with the author, it's not that sha-pinning is dangerous, it's that it is astonishingly broken in GitHub.
If they're unable to guarantee that the hash really belongs to the repository you indicated them, it would be better if they didn't provide the pinning feature at all.
And if they built their systems such that verifying it is unfeasible, they're just broken, and using GitHub should be considered a risk.
Although in truth, you should always carefully check a PR like that; even without referencing a different repository, a malicious user could just make it point to an outdated, vulnerable version.
g-b-r•51m ago
I disagree with the author, it's not that sha-pinning is dangerous, it's that it is astonishingly broken in GitHub.
If they're unable to guarantee that the hash really belongs to the repository you indicated them, it would be better if they didn't provide the pinning feature at all.
And if they built their systems such that verifying it is unfeasible, they're just broken, and using GitHub should be considered a risk.
Although in truth, you should always carefully check a PR like that; even without referencing a different repository, a malicious user could just make it point to an outdated, vulnerable version.