On April 15th we learned that CodeCov, one of the dependencies Dapr uses as part of our build pipeline, was targeted in a compromise of their bash uploader, which is used in their GitHub Action tool. You can read the full notice at https://about.codecov.io/security-update/. CodeCov in turn notified all customers who were believed to have been impacted. Dapr did not receive a notice, and was not part of CodeCov’s list of impacted repos.
