Asks for updates to this package's repository security.

[amaranthjinn]

Hi, our project utilizes a lot of dash plotly packages (really appreciate all your work!), and would like to leverage dash-ag-grid for some new functionalities under design/development.
However, we are concerned about the security setup of this repository, and the risk of future bad changes making into the package.
We used the tool https://github.com/ossf/scorecard to help us assess the repository security.
Some of the major concerning areas are:

1. branch protection - the 'main' branch is not under any branch protection rule that governs write access and how changes make into releases. The recommendation is https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.
2. token permission -
   Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:13
   Warn: no topLevel permission defined: .github/workflows/python-test.yml:1
   Warn: no topLevel permission defined: .github/workflows/release.yml:1
   Which can be easily mitigated, see https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions.

Can you let me know if those security configurations can be updated soon? As it is, we would like to use the dash-ag-grid but cannot due to the security concerns (given the rise of software pipeline attacks).

[gvwilson]

Thanks for your comment - I've added it to the pile to discuss once we get the Plotly 3.0 release out the door (which should be in the next couple of weeks).

[amaranthjinn]

Thank you! Looking forward to the good news, keep me updated :)