Commit graph

2 commits

Author SHA1 Message Date
Corey Newton
441952f0ed
chore(deps): add cooldown for NPM and GH Actions to reduce supply chain attack risk (#7685)
- Monthly/weekly update frequency reduces the window of exposure but the addition of a cooldown should help narrow it further.
- Implemented as suggested in this gist: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e93104
- I've opted to use the more conservative 3-day cooldown as this is the default in some tools.
- Dependabot needs to be adjusted in combination with .npmrc to avoid creating PRs that can't succeed.

Ref.
https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-
2026-05-20 11:50:30 +02:00
Kondamon
a9a8d5bbb6
ci: add package-lock.json registry check and pin npm registry (#6875)
* ci: add package-lock.json registry check and pin npm registry

Prevents contributors using mirror registries (e.g. npmmirror.com) from
rewriting all resolved URLs in package-lock.json, which also causes
cascading formatting changes due to different dependency versions.

* fix(ci): use || true instead of || echo 0 in registry check

When all resolved URLs are standard, grep -cv outputs 0 and exits with
code 1. The || echo 0 then fires and also outputs 0, making BAD_COUNT
"0\n0" which causes a bash integer expression error. Using || true
swallows the exit code without extra output.

---------

Co-authored-by: Kondamon <kondamon@github.com>
2026-03-19 12:01:40 +01:00