Following [Trivy supply chain attack](https://blog.stephane-robert.info/post/trivy-actii/) we might need to question our [Latest version by default](https://to-be-continuous.gitlab.io/doc/dev/architecture/#latest-version-by-default) policy. ## MUST - It must be possible to pin all dependencies used in templates using environment variables. Related to https://gitlab.com/groups/to-be-continuous/-/work_items/72 & https://gitlab.com/groups/to-be-continuous/-/work_items/66 ## SHOULD - It would be useful to be able to pin a dependency at group (or instance) level without overriding versions set in `.gitlab-ci.yml`.<br/> A proposed solution is using `TBC_DEFAULT_` variables.<br/> Like we did in https://gitlab.com/to-be-continuous/docker/-/merge_requests/175 but without changing default value, so just a minor. ## MAY - OpenSource project may keep up to date pinned versions. But is it users (as companies, not individuals) responsibility? Or even feasible with current resources ?