Foreign PRs with malicious GitHub Actions attached are a common vector for the very supply chain attacks OP was trying to mitigate, from what i understand. At first glance a PR like that is incredibly suspicious.
I sympathize with the OP, GitHub makes it outrageously easy to accidentally open an upstream PR when you meant to open one on your own fork, it's happened to me twice. But i don't blame lodash for blocking them.
Regardless, opening an issue about their release process obviously should have been done first.
I sympathize with the OP, GitHub makes it outrageously easy to accidentally open an upstream PR when you meant to open one on your own fork, it's happened to me twice. But i don't blame lodash for blocking them.
Regardless, opening an issue about their release process obviously should have been done first.