frequency icon indicating copy to clipboard operation
frequency copied to clipboard
verified publisher icon frequency-chain

npm Supply Chain Mitigation

Open mattheworris opened this issue 7 months ago • 1 comments

Description

Continuing on from #2598, the goal of this issue is to audit the CI/CD workflows and make sure they use the correct package-lock.json and that npm uses safe commands, e.g. clean-install, ignore-scripts, and npm audit signatures

Acceptance Criteria

  • [ ] All github workflows have been audited to use the correct version of the package-lock.json
  • [ ] All npm commands use safe options where possible, e.g. ci, ignore-scripts
  • [ ] npm audit signatures is used for verification of packages.

mattheworris avatar Sep 16 '25 13:09 mattheworris

I wonder if it might also make sense to have some kind of git commit or push hook that prevents committing package-lock files unless a specially-formatted commit message is present? Or some other mechanism to prevent unintentional updating of the lock file.

JoeCap08055 avatar Sep 16 '25 16:09 JoeCap08055