I am starting to wonder if I can't get a PR into a codebase with lots of invisible unicode characters that together create a backdoor. A simple typo-fixing PR could become a Trojan horse for a bunch of code the owner of the repo won't see. 🤔
Discussion
Thanks for the paranoia. Did you tried?
Yeah, I think it highly depends on the tooling the maintainer uses. GIT WebUIs are not great for this.
That doesn't sound alarming at all. The way non coders will read that is. I can probably plant code that no one will see that will give me access to their stuff.