Skip to content

fix(build): pin npm commands for OpenSSF Scorecard compliance#181

Merged
WilliamBerryiii merged 1 commit intomainfrom
fix/npm-command-pinning
Jan 16, 2026
Merged

fix(build): pin npm commands for OpenSSF Scorecard compliance#181
WilliamBerryiii merged 1 commit intomainfrom
fix/npm-command-pinning

Conversation

@WilliamBerryiii
Copy link
Copy Markdown
Member

@WilliamBerryiii WilliamBerryiii commented Jan 16, 2026

fix(build): pin npm commands for OpenSSF Scorecard compliance

Description

Resolved npm command pinning warnings identified by OpenSSF Scorecard analysis. Replaced non-deterministic npm install with npm ci in the DevContainer post-create script and pinned @vscode/vsce to version 3.7.1 in GitHub Actions workflows to prevent supply chain vulnerabilities from unpinned global package installations.

  • fix(scripts): Replaced npm install with npm ci in .devcontainer/scripts/post-create.sh for deterministic dependency installation using lockfile
  • fix(build): Pinned @vscode/vsce to version 3.7.1 in .github/workflows/extension-package.yml
  • fix(build): Pinned @vscode/vsce to version 3.7.1 in .github/workflows/extension-publish.yml

Related Issue(s)

Fixes #180

Type of Change

Select all that apply:

Code & Documentation:

  • Bug fix (non-breaking change fixing an issue)
  • New feature (non-breaking change adding functionality)
  • Breaking change (fix or feature causing existing functionality to change)
  • Documentation update

Infrastructure & Configuration:

  • GitHub Actions workflow
  • Linting configuration (markdown, PowerShell, etc.)
  • Security configuration
  • DevContainer configuration
  • Dependency update

AI Artifacts:

  • Reviewed contribution with prompt-builder chatmode and addressed all feedback
  • Copilot instructions (.github/instructions/*.instructions.md)
  • Copilot prompt (.github/prompts/*.prompt.md)
  • Copilot chatmode (.github/chatmodes/*.chatmode.md)

Note for AI Artifact Contributors:

  • Chatmodes: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation chatmodes likely already exist. Review .github/chatmodes/ before creating new ones.
  • Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
  • See Chatmodes Not Accepted and Model Version Requirements.

Other:

  • Script/automation (.ps1, .sh, .py)
  • Other (please describe):

Sample Prompts (for AI Artifact Contributions)

Testing

  • Verified file changes produce valid YAML syntax in GitHub Actions workflows
  • Confirmed shell script syntax is valid with npm ci command
  • Changes align with npm best practices for CI/CD environments

Checklist

Required Checks

  • Documentation is updated (if applicable)
  • Files follow existing naming conventions
  • Changes are backwards compatible (if applicable)

AI Artifact Contributions

Required Automated Checks

The following validation commands must pass before merging:

  • Markdown linting: npm run lint:md
  • Spell checking: npm run spell-check
  • Frontmatter validation: npm run lint:frontmatter
  • Link validation: npm run lint:md-links
  • PowerShell analysis: npm run lint:ps

Security Considerations

  • This PR does not contain any sensitive or NDA information
  • Any new dependencies have been reviewed for security issues
  • Security-related scripts follow the principle of least privilege

Additional Notes

This change addresses OpenSSF Scorecard npm command pinning warnings:

  • npm ci uses the lockfile (package-lock.json) for deterministic, reproducible builds
  • Pinning @vscode/vsce@3.7.1 prevents supply chain attacks from compromised latest versions
  • Both changes improve the repository's OpenSSF Scorecard security score

🔒 - Generated by Copilot

@WilliamBerryiii
fix(build): pin npm commands for OpenSSF Scorecard compliance
4771db7 
- replace npm install with npm ci in devcontainer post-create script

- pin @vscode/vsce to 3.7.1 in extension-package workflow

- pin @vscode/vsce to 3.7.1 in extension-publish workflow

Fixes #180

🔒 - Generated by Copilot
Copilot AI review requested due to automatic review settings January 16, 2026 05:06
@WilliamBerryiii WilliamBerryiii requested a review from a team as a code owner January 16, 2026 05:06
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 16, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Copilot AI reviewed Jan 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses OpenSSF Scorecard npm command pinning warnings to improve supply chain security. It pins the @vscode/vsce package version in GitHub Actions workflows and replaces non-deterministic npm install with npm ci in the DevContainer setup script for reproducible builds using the lockfile.

Changes:

  • Pinned @vscode/vsce to version 3.7.1 in two GitHub Actions workflows
  • Replaced npm install with npm ci in DevContainer post-create script

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
.github/workflows/extension-publish.yml Pinned @vscode/vsce to 3.7.1 to prevent supply chain vulnerabilities
.github/workflows/extension-package.yml Pinned @vscode/vsce to 3.7.1 for deterministic package installation
.devcontainer/scripts/post-create.sh Replaced npm install with npm ci for lockfile-based dependency installation

@WilliamBerryiii WilliamBerryiii merged commit c29db54 into main Jan 16, 2026
20 checks passed
@WilliamBerryiii WilliamBerryiii deleted the fix/npm-command-pinning branch January 16, 2026 16:12
This was referenced Jan 16, 2026
Closed
Closed
Closed
Merged
WilliamBerryiii pushed a commit that referenced this pull request Jan 19, 2026
@hve-core-release-please
chore(main): release hve-core 1.1.0 (#211)
8de3acf 
🤖 I have created a release *beep* *boop*
---


##
[1.1.0](hve-core-v1.0.0...hve-core-v1.1.0)
(2026-01-19)


### ✨ Features

* **.devcontainer:** add development container configuration
([#24](#24))
([45debf5](45debf5))
* **.github:** add github metadata and mcp configuration
([#23](#23))
([1cb898d](1cb898d))
* **agent:** Add automated installation via hve-core-installer agent
([#82](#82))
([a2716d5](a2716d5))
* **agents:** add brd-builder.agent.md for building BRDs
([#122](#122))
([bfdc9f3](bfdc9f3))
* **agents:** redesign installer with Codespaces support and method
documentation ([#123](#123))
([6329fc0](6329fc0))
* **ai:** Establish AI-Assisted Development Framework
([#48](#48))
([f5199a4](f5199a4))
* **build:** implement automated release management with release-please
([#86](#86))
([90150e2](90150e2))
* **chatmodes:** add architecture diagram builder agent
([#145](#145))
([db24637](db24637))
* **config:** add development tools configuration files
([#19](#19))
([9f97522](9f97522))
* **config:** add npm package configuration and dependencies
([#20](#20))
([fcba198](fcba198))
* **copilot:** add GitHub Copilot instruction files
([#22](#22))
([4927284](4927284))
* **copilot:** add specialized chat modes for development workflows
([#21](#21))
([ae8495f](ae8495f))
* **docs:** add comprehensive AI artifact contribution documentation
([#76](#76))
([d81cf96](d81cf96))
* **docs:** add getting started guide for project configuration
([#57](#57))
([3b864fa](3b864fa))
* **docs:** add repository foundation and documentation files
([#18](#18))
([ad7efb6](ad7efb6)),
closes [#2](#2)
* **docs:** add RPI workflow documentation and restructure docs folder
([#102](#102))
([c3af708](c3af708))
* **extension:** hve core vs code extension
([#149](#149))
([041a1fd](041a1fd))
* **extension:** implement pre-release versioning with agent maturity
filtering ([#179](#179))
([fb38233](fb38233))
* **instructions:** add authoring standards for prompt engineering
artifacts ([#177](#177))
([5de3af9](5de3af9))
* **instructions:** add extension quick install and enhance installer
agent ([#176](#176))
([48e3d58](48e3d58))
* **instructions:** add VS Code variant prompt and gitignore
recommendation to installer
([#185](#185))
([b400493](b400493))
* **instructions:** add writing style guide for markdown content
([#151](#151))
([02df6a8](02df6a8))
* **instructions:** consolidate C# guidelines and update prompt agent
fields ([#158](#158))
([65342d4](65342d4))
* **instructions:** provide guidance on using safe commands to reduce
interactive prompting
([#117](#117))
([1268580](1268580))
* **linting:** add linting and validation scripts
([#26](#26))
([66be136](66be136))
* **prompt-builder:** enhance prompt engineering instructions and
validation protocols
([#155](#155))
([bc5004f](bc5004f))
* **prompts:** add ADR placement planning and update template paths
([#69](#69))
([380885f](380885f))
* **prompts:** add git workflow prompts from edge-ai
([#84](#84))
([56d66b6](56d66b6))
* **prompts:** add github-add-issue prompt and github-issue-manager
chatmode with delegation pattern
([#55](#55))
([d0e1789](d0e1789))
* **prompts:** add PR template discovery and integration to pull-request
prompt ([#141](#141))
([b8a4c7a](b8a4c7a))
* **prompts:** add task research initiation prompt and rpi
agent([#124](#124))
([5113e3b](5113e3b))
* **release:** implement release management strategy
([#161](#161))
([6164c3b](6164c3b))
* Risk Register Prompt
([#146](#146))
([843982c](843982c))
* **scripts:** enhanced JSON Schema validation for markdown frontmatter
([#59](#59))
([aba152c](aba152c))
* **security:** add checksum validation infrastructure
([#106](#106))
([07528fb](07528fb))
* **security:** add security scanning scripts
([#25](#25))
([82de5a1](82de5a1))
* **workflows:** add CodeQL security analysis to PR validation
([#132](#132))
([e5b6e8f](e5b6e8f))
* **workflows:** add orchestration workflows and documentation
([#29](#29))
([de442e0](de442e0))
* **workflows:** add security reusable workflows
([#28](#28))
([2c74399](2c74399))
* **workflows:** add validation reusable workflows
([#27](#27))
([f52352d](f52352d))


### 🐛 Bug Fixes

* **build:** add token parameter to release-please action
([#166](#166))
([c9189ec](c9189ec))
* **build:** disable MD012 lint rule in CHANGELOG for release-please
compatibility ([#173](#173))
([54502d8](54502d8)),
closes [#172](#172)
* **build:** pin npm commands for OpenSSF Scorecard compliance
([#181](#181))
([c29db54](c29db54))
* **build:** remediate GHSA-g9mf-h72j-4rw9 undici vulnerability
([#188](#188))
([634bf36](634bf36))
* **build:** seed CHANGELOG.md with version entry for release-please
frontmatter preservation
([#170](#170))
([2b299ac](2b299ac))
* **build:** use GitHub App token for release-please
([#167](#167))
([070e042](070e042))
* **build:** use hashtable splatting for named parameters
([#164](#164))
([02a965f](02a965f))
* **devcontainer:** remove unused Python requirements check
([#78](#78))
([f17a872](f17a872)),
closes [#77](#77)
* **docs:** fix broken links and update validation for .vscode/README.md
([#118](#118))
([160ae7a](160ae7a))
* **docs:** improve language consistency in Automated Installation
section ([#139](#139))
([a932918](a932918))
* **docs:** replace install button anchor with VS Code protocol handler
([#111](#111))
([41a265e](41a265e))
* **docs:** update install badges to use aka.ms redirect URLs
([#114](#114))
([868f655](868f655))
* **linting:** use cross-platform path separators in gitignore pattern
matching ([#121](#121))
([3f0aa1b](3f0aa1b))
* **scripts:** accepts the token (YYYY-MM-dd) in frontmatter validation
([#133](#133))
([2648215](2648215))
* **tools:** correct Method 5 path resolution in hve-core-installer
([#129](#129))
([57ef20d](57ef20d))


### 📚 Documentation

* add comprehensive RPI workflow documentation
([#153](#153))
([cbaa4a9](cbaa4a9))
* enhance README with contributing, responsible AI, and legal sections
([#52](#52))
([a424adc](a424adc))


### ♻️ Refactoring

* **instructions:** consolidate and enhance AI artifact guidelines
([#206](#206))
([54dd959](54dd959))
* migrate chatmodes to agents architecture
([#210](#210))
([712b0b7](712b0b7))


### 🔧 Maintenance

* **build:** clean up workflow permissions for Scorecard compliance
([#183](#183))
([64686e7](64686e7))
* **deps-dev:** bump cspell in the npm-dependencies group
([#61](#61))
([38650eb](38650eb))
* **deps-dev:** bump glob from 10.4.5 to 10.5.0
([#74](#74))
([b3ca9fd](b3ca9fd))
* **deps-dev:** bump markdownlint-cli2 from 0.19.1 to 0.20.0 in the
npm-dependencies group
([#134](#134))
([ebfbe84](ebfbe84))
* **deps-dev:** bump the npm-dependencies group across 1 directory with
2 updates ([#109](#109))
([936ab84](936ab84))
* **deps-dev:** bump the npm-dependencies group with 2 updates
([#30](#30))
([cf99cbf](cf99cbf))
* **deps:** bump actions/upload-artifact from 5.0.0 to 6.0.0 in the
github-actions group
([#142](#142))
([91eac8a](91eac8a))
* **deps:** bump js-yaml, markdown-link-check and markdownlint-cli2
([#75](#75))
([af03d0e](af03d0e))
* **deps:** bump the github-actions group with 2 updates
([#108](#108))
([3e56313](3e56313))
* **deps:** bump the github-actions group with 2 updates
([#135](#135))
([4538a03](4538a03))
* **deps:** bump the github-actions group with 2 updates
([#62](#62))
([d1e0c09](d1e0c09))
* **deps:** bump the github-actions group with 3 updates
([#87](#87))
([ed550f4](ed550f4))
* **deps:** bump the github-actions group with 6 updates
([#162](#162))
([ec5bb12](ec5bb12))
* **devcontainer:** enhance gitleaks installation with checksum
verification ([#100](#100))
([5a8507d](5a8507d))
* **devcontainer:** refactor setup scripts for improved dependency
management ([#94](#94))
([f5f50d1](f5f50d1)),
closes [#98](#98)
* **security:** configure GitHub branch protection for OpenSSF
compliance ([#191](#191))
([90aab1a](90aab1a))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com>
This was referenced Jan 28, 2026
Closed
Closed
This was referenced Feb 6, 2026
Closed
Closed
Closed
Closed
This was referenced Feb 13, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@katriendg katriendg katriendg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: npm command pinning warnings from OpenSSF Scorecard

3 participants

@WilliamBerryiii @katriendg