CircleCI Unversioned Orb Usage

Avoid using unversioned orbs in CircleCI to prevent unintended changes in pipeline behavior. Orbs are reusable packages of CircleCI configuration, and relying on unversioned orbs can lead to breaking changes if the orb is updated.

Examples

Insecure Example

Using an unversioned orb introduces the risk of changes being applied without notice:

version: 2.1
orbs:
  example-orb: example/example-orb
jobs:
  build:
    steps:
      - example-orb/sample-step

Secure Example

Always specify a specific version or a version range to ensure stability:

version: 2.1
orbs:
  example-orb: example/example-orb@1.2.3
jobs:
  build:
    steps:
      - example-orb/sample-step

This ensures that updates are intentional and tested before applying changes.

Mitigation Steps

• Always use versioned orbs by specifying an explicit version or a version range.
• Test updates to orbs in a staging environment before applying them to production pipelines.
• Regularly audit your CircleCI configuration to ensure orbs are up-to-date and secure.
• Consider pinning critical pipelines to exact orb versions to avoid unplanned changes.

More information

• CircleCI Orbs - Introduction