[Issue]: Fix OpenSSF Scorecard Pinned-Dependencies warnings for npm commands #291
Description
Issue Description
OpenSSF Scorecard reports a Pinned-Dependencies warning with score normalized to 8/10, indicating 4 npm commands in GitHub workflows are not properly pinned by hash.
Current State
| File | Line | Command | Status |
|---|---|---|---|
extension-package.yml |
57 | npm install -g @vscode/vsce@3.7.1 |
|
extension-publish-prerelease.yml |
71 | npm install -g @vscode/vsce |
❌ Completely unpinned |
extension-publish-prerelease.yml |
129 | npm install -g @vscode/vsce |
❌ Completely unpinned |
extension-publish.yml |
114 | npm install -g @vscode/vsce@3.7.1 |
The 5 workflows using npm ci are properly pinned via package-lock.json integrity hashes.
Security Risk
- Version pinning ≠ hash pinning: A version like
@3.7.1doesn't guarantee identical bytes - Unpinned packages can install any version including compromised releases
- Supply chain attacks target build-time dependencies
Recommended Approach
Convert global installs to local package.json with npm ci:
- Add
@vscode/vscetoextension/package.jsonas a dev dependency - Commit
package-lock.jsonwith integrity hashes - Replace global installs with
npm ci+npx vsce
This leverages npm's built-in integrity verification and aligns with existing workflow patterns.
Additional Context
- OpenSSF Scorecard Pinned-Dependencies Check
- Existing hash verification pattern:
scripts/security/tool-checksums.json - Scorecard finding: "6 out of 10 npmCommand dependencies pinned"