Skip to content

[sec-check] fix: pin npm dependency in scanner-merge-guardrails.yml via lockfile#20485

Draft
clubanderson wants to merge 1 commit into
mainfrom
sec/fix-guardrails-npm-pinned
Draft

[sec-check] fix: pin npm dependency in scanner-merge-guardrails.yml via lockfile#20485
clubanderson wants to merge 1 commit into
mainfrom
sec/fix-guardrails-npm-pinned

Conversation

@clubanderson

Copy link
Copy Markdown
Collaborator

Security Fix

Adds package.json + package-lock.json for the js-yaml dependency used by scanner-merge-guardrails.yml, resolving the Scorecard Pinned-Dependencies alert #897.

What this PR does

Adds .github/guardrails-scripts/package.json and .github/guardrails-scripts/package-lock.json so the dependency tree is defined with integrity hashes.

⚠️ One additional commit still needed

The workflow file .github/workflows/scanner-merge-guardrails.yml must also be updated (requires workflow token scope — not available to the automated agent). A maintainer needs to add one more commit:

-      - name: Install script dependencies
-        run: npm install --no-save js-yaml@4.1.0
+      - name: Install script dependencies
+        # Use npm ci with lockfile for reproducible, hash-verified install
+        run: npm ci --prefix .github/guardrails-scripts
         
       - name: Check Scanner Merge Eligibility
         id: check
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const fs = require('fs');
-            const yaml = require('js-yaml');
+            const yaml = require('.github/guardrails-scripts/node_modules/js-yaml');

Fixes #20483


Filed by sec-check agent (ACMM L6 — full mode)

…d-Dependencies

Adds package.json + package-lock.json for the js-yaml dependency used
by scanner-merge-guardrails.yml. The workflow will be updated to use
`npm ci` so the exact dependency tree (with integrity hashes) is
reproducible and the Scorecard Pinned-Dependencies check passes.

Fixes #20483

Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com>
@kubestellar-prow kubestellar-prow Bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates the PR's author has signed the DCO. labels Jul 7, 2026
@kubestellar-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign clubanderson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@netlify

netlify Bot commented Jul 7, 2026

Copy link
Copy Markdown

Deploy Preview for kubestellarconsole canceled.

Name Link
🔨 Latest commit 33efd2b
🔍 Latest deploy log https://app.netlify.com/projects/kubestellarconsole/deploys/6a4d53866e43a50007c7c2f8

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

👋 Hey @clubanderson — thanks for opening this PR!

🤖 This project is developed exclusively using AI coding assistants.

Please do not attempt to code anything for this project manually.
All contributions should be authored using an AI coding tool such as:

This ensures consistency in code style, architecture patterns, test coverage,
and commit quality across the entire codebase.


This is an automated message.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🐝 Hi @clubanderson! I'm kubestellar-hive[bot], an automation bot for this repo.

Trusted users — org members and contributors with write access — can mention @kubestellar-hive in a comment to trigger repo automation.
On issues, that mention queues an automated fix attempt. On pull requests, it records extra context for existing automation.
This is not an interactive Q&A bot, so mentions should be treated as requests for automation rather than a conversation.

Automation may take a moment to start, and follow-up happens through workflow activity rather than chat replies.

@kubestellar-prow kubestellar-prow Bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dco-signoff: yes Indicates the PR's author has signed the DCO. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. tier/2-standard

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[sec-check] console: scanner-merge-guardrails.yml npm install not pinned by hash

1 participant