fix(build): resolve Pinned-Dependencies alerts for vsce npm commands in extension workflows #457
Description
Note
Partial Completion Status (assessed 2026-02-25)
Completed:
- Version-pinned
@vscode/vsce@3.7.1across all 3 extension workflow files
Remaining:
- Not integrity/SHA-pinned via lockfile — still uses
npm install -gbypassing lockfile integrity checks - OpenSSF Scorecard alerts Add repository foundation and documentation files #2–Add development tools configuration files #5 remain active
extension/package-lock.jsonwith integrity hashes not yet committed- No acceptance criteria items checked off
Summary
OpenSSF Scorecard reports 4 Pinned-Dependencies alerts for npm install -g @vscode/vsce@3.7.1 commands across 3 extension workflow files. Version pinning alone does not satisfy the Scorecard check — cryptographic hash pinning is required.
This is a recurrence of #291 (closed 2026-01-27) which proposed the same fix. The alerts persist on main, indicating the fix was either not fully applied or was overridden.
Alert Details
| Alert | File | Line | Command |
|---|---|---|---|
| #2 | extension-package.yml |
58 | npm install -g @vscode/vsce@3.7.1 |
| #3 | extension-publish-prerelease.yml |
72 | npm install -g @vscode/vsce@3.7.1 |
| #4 | extension-publish-prerelease.yml |
130 | npm install -g @vscode/vsce@3.7.1 |
| #5 | extension-publish.yml |
115 | npm install -g @vscode/vsce@3.7.1 |
Root Cause
npm install -g bypasses lockfile integrity checks. Even with a version pin (@3.7.1), the package is fetched at install time without a cryptographic hash comparison. OpenSSF Scorecard requires either:
- A lockfile-backed install (
npm ci) with integrity hashes, or - An explicit SHA-256 verification step
Proposed Fix
Convert global npm install -g to a lockfile-backed local install:
- Add
@vscode/vsceas a devDependency toextension/package.json - Commit
extension/package-lock.jsonwith integrity hashes - Replace all
npm install -g @vscode/vsce@3.7.1steps with:- run: cd extension && npm ci - run: npx vsce working-directory: extension
This eliminates the global install and leverages npm's built-in integrity verification via the lockfile.
Alternative
If the local devDependency approach creates issues with workflow structure, use scripts/security/tool-checksums.json (existing pattern in the repo) to verify a downloaded tarball hash before installing.
Acceptance Criteria
- No global
npm install -g @vscode/vscecommands remain in any workflow -
extension/package-lock.jsoncontains integrity hashes for vsce -
extension-package.ymlworkflow passes CI (extension packages successfully) -
extension-publish.ymlworkflow passes CI (extension publishes successfully) -
extension-publish-prerelease.ymlworkflow passes CI (both jobs) - OpenSSF Scorecard alerts Add repository foundation and documentation files #2, Add development tools configuration files #3, Development tools configuration files missing #4, Add development tools configuration files #5 resolve on next scan
References
- Alerts: https://github.com/microsoft/hve-core/security/code-scanning/2 through https://github.com/microsoft/hve-core/security/code-scanning/5
- Predecessor: [Issue]: Fix OpenSSF Scorecard Pinned-Dependencies warnings for npm commands #291 (closed, same recommendation, alerts persist)
- Pattern reference:
scripts/security/tool-checksums.jsonfor hash verification
How to Build This
This is a security fix implementation task using the task-implementor workflow.
Workflow: /task-research → /task-plan → /task-implement → /task-review
Tip
Between each phase, type /clear or start a new chat to reset context.
Warning
The issue proposes adding extension/package.json as a devDependency target, but
extension/package.json does not exist in the repository. The extension uses
extension/templates/package.template.json instead. Research should investigate
how the template-based packaging workflow interacts with the proposed fix.
Phase 1: Research
Source Material
- This issue body
#file:.github/workflows/extension-package.yml(line 58: unpinned vsce install)#file:.github/workflows/extension-publish.yml(line 115: unpinned vsce install)#file:.github/workflows/extension-publish-prerelease.yml(lines 72, 130: unpinned vsce install)#file:extension/templates/package.template.json(template-based packaging)#file:scripts/security/tool-checksums.json(hash verification pattern)#file:scripts/extension/prepare-extension.ps1(extension build process)
Steps
- Type
/clearto start a fresh context. - Attach or open the files listed above.
- Copy and run this prompt:
/task-research topic="resolving vsce npm pinned-dependencies alerts"
Research how to resolve OpenSSF Scorecard Pinned-Dependencies alerts for npm install -g
@vscode/vsce commands in extension workflows. Investigate:
1. How the extension packaging workflow works (template-based, not standard package.json)
2. Whether adding extension/package.json and extension/package-lock.json is compatible
with the template-based build system
3. The alternative approach using scripts/security/tool-checksums.json for hash verification
4. How npm ci handles devDependencies vs npm install -g for the vsce tool
5. Whether npx vsce can replace direct vsce CLI invocation in workflow steps
6. Impact on all three extension workflow files (package, publish, publish-prerelease)
7. The existing prepare-extension.ps1 script and how it interacts with packaging
Output: Research document at .copilot-tracking/research/{{YYYY-MM-DD}}-vsce-pinning-research.md
Phase 2: Plan
Source Material
- Research document from Phase 1
Steps
- Type
/clearto start a fresh context. - Open the research document from Phase 1.
- Copy and run this prompt:
/task-plan
Create an implementation plan for resolving the vsce Pinned-Dependencies alerts.
The plan should address the template-based packaging system, select between the
devDependency approach and the tool-checksums approach, and specify changes to
all three extension workflow files.
Output: Plan at .copilot-tracking/plans/ and details at .copilot-tracking/details/
Phase 3: Implement
Source Material
- Plan from Phase 2
Steps
- Type
/clearto start a fresh context. - Open the plan document from Phase 2.
- Copy and run this prompt:
/task-implement
Implement the vsce pinning fix across all three extension workflow files following
the plan. Replace npm install -g commands with the selected approach (lockfile-backed
install or hash-verified download).
Output: Modified workflow files and any new files, changes log at .copilot-tracking/changes/
Phase 4: Review
Source Material
- Plan from Phase 2
- Changes log from Phase 3
Steps
- Type
/clearto start a fresh context. - Open the plan and changes log.
- Copy and run this prompt:
/task-review
Review the vsce pinning implementation. Run these validation commands:
- npm run lint:yaml (validate all three extension workflow files)
Verify that no npm install -g @vscode/vsce commands remain, that the replacement
approach provides cryptographic hash verification, and that extension packaging
still works correctly in all three workflow contexts.
Output: Review log at .copilot-tracking/reviews/
After Review
- Pass: All criteria met. Create a PR referencing this issue.
- Iterate: Review found issues. Run
/clear, return to Phase 3 with the review feedback. - Escalate: Fundamental design issue discovered. Run
/clear, return to Phase 1 to research the gap.
Authoring Standards
- Workflow changes follow
.github/instructions/hve-core/workflows.instructions.md - Security scripts follow patterns from
scripts/security/ - All action and tool references use SHA pinning or lockfile-backed integrity verification
Success Criteria
- No global
npm install -g @vscode/vscecommands remain in any workflow - Replacement approach provides cryptographic hash verification
-
extension-package.ymlworkflow still packages the extension correctly -
extension-publish.ymlworkflow still publishes correctly -
extension-publish-prerelease.ymlworkflow still works for both jobs -
npm run lint:yamlpasses for all modified workflow files