Dependabot spoofing to steal user's passwords

[moppman]

I've just seen this HN post, which is about malicious actors spoofing commits to make them look like they're from Github's dependabot, and thus getting malicious code into projects.
Because this project makes heavy use of renovate (a similar bot from my understanding) and given the project's extra-sensitive nature, I thought it was worth mentioning here.

[msfjarvis]

Thanks for the heads-up. This attack vector shouldn't affect us since all legitimate Renovate PRs to APS originate from the repository itself, so it's very easy to spot malicious ones.