CPMR0075 - Script uses GitHub Comment assets (script)

CPMR0075 - Script uses GitHub Comment assets (script)


This rule has been marked as a Requirement.

Requirements represent the minimum quality of a package that is acceptable. When a package version has failed requirements, the package version requires fixing and/or response by the maintainer. Provided a Requirement has flagged correctly, it must be fixed before the package version can be approved. The exact same version should be uploaded during moderation review.


Within one or more of the automation scripts, one or more URLs were found to point to a GitHub comment file or asset. URLs starting with https://github.com/<REPOSITORY_OWNER>/<REPOSITORY_NAME>/files/ or https://github.com/<REPOSITORY_OWNER>/<REPOSITORY_NAME>/assets/ are considered to be GitHub comment URLs, both on the github.com and gist.github.com domains.

Use the official download location of files from the software authors that are not part of a GitHub comment. This can be URLs on their official web page, from their GitHub releases, or from a third party that is officially endorsed by the software developers.


Since any user can upload files to a GitHub comment, even without publishing the comment, this can be used as an attack vector by malicious actors. To prevent such misuse from happening and affecting our users, it has been decided to disallow these types of URLs.