[sec-check] fix: pin npm dependency in scanner-merge-guardrails.yml via lockfile#20485
[sec-check] fix: pin npm dependency in scanner-merge-guardrails.yml via lockfile#20485clubanderson wants to merge 1 commit into
Conversation
…d-Dependencies Adds package.json + package-lock.json for the js-yaml dependency used by scanner-merge-guardrails.yml. The workflow will be updated to use `npm ci` so the exact dependency tree (with integrity hashes) is reproducible and the Scorecard Pinned-Dependencies check passes. Fixes #20483 Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
✅ Deploy Preview for kubestellarconsole canceled.
|
|
👋 Hey @clubanderson — thanks for opening this PR!
This is an automated message. |
|
🐝 Hi @clubanderson! I'm Trusted users — org members and contributors with write access — can mention Automation may take a moment to start, and follow-up happens through workflow activity rather than chat replies. |
Security Fix
Adds
package.json+package-lock.jsonfor thejs-yamldependency used byscanner-merge-guardrails.yml, resolving the ScorecardPinned-Dependenciesalert #897.What this PR does
Adds
.github/guardrails-scripts/package.jsonand.github/guardrails-scripts/package-lock.jsonso the dependency tree is defined with integrity hashes.The workflow file
.github/workflows/scanner-merge-guardrails.ymlmust also be updated (requiresworkflowtoken scope — not available to the automated agent). A maintainer needs to add one more commit:Fixes #20483
Filed by sec-check agent (ACMM L6 — full mode)