CircleCI Unversionned Orb¶
Ensure CircleCI workflows do not use unversionned Orbs such as
When using the
@volatile version, the latest version of the Orb is used while the
@dev version can be published by anyone in the orgnization that owns the Orb. To ensure deterministic pipeline execution and minimize the risk of including a malicious Orb, it is recommended to use a specific version of the Orb instead.
version: 2.1 orbs: node: circleci/node@dev cli: circleci/circleci-cli@volatile
version: 2.1 orbs: node: email@example.com cli: firstname.lastname@example.org