From 32106dcd221da956c3d9f9cb389fa687628b7844 Mon Sep 17 00:00:00 2001 From: saileshwar-skyflow Date: Thu, 4 Jun 2026 00:00:12 +0530 Subject: [PATCH 1/2] SK-2839: pin dependency versions and add --ignore-scripts to harden against supply chain attacks - Pin all dependencies/devDependencies in package.json to exact locked versions from package-lock.json (remove ^ and ~ prefixes); peerDependencies unchanged - Add --ignore-scripts to every npm install call across all 5 CI workflows - Create .npmrc with ignore-scripts=true at repo root and samples/SkyflowElements/ Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/CI.yml | 2 +- .github/workflows/beta-release.yml | 2 +- .github/workflows/internal-release.yml | 2 +- .github/workflows/main.yml | 2 +- .github/workflows/release.yml | 2 +- .npmrc | 1 + package.json | 96 +++++++++++++------------- samples/SkyflowElements/.npmrc | 1 + 8 files changed, 55 insertions(+), 53 deletions(-) create mode 100644 .npmrc create mode 100644 samples/SkyflowElements/.npmrc diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index f739d82..4c937a9 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -29,7 +29,7 @@ jobs: node-version: 14.17.6 - name: install node_modules - run: npm install + run: npm install --ignore-scripts - name: Run spellcheck run: npm run spellcheck diff --git a/.github/workflows/beta-release.yml b/.github/workflows/beta-release.yml index a66b03d..67701b2 100644 --- a/.github/workflows/beta-release.yml +++ b/.github/workflows/beta-release.yml @@ -19,7 +19,7 @@ jobs: node-version: 14.17.6 registry-url: 'https://registry.npmjs.org' - - run: npm install + - run: npm install --ignore-scripts - name: install modules run: npm install diff --git a/.github/workflows/internal-release.yml b/.github/workflows/internal-release.yml index 29d5648..035f6a5 100644 --- a/.github/workflows/internal-release.yml +++ b/.github/workflows/internal-release.yml @@ -23,7 +23,7 @@ jobs: - uses: actions/setup-node@v1 with: node-version: 14.17.6 - - run: npm install + - run: npm install --ignore-scripts - name: npm build run: npm run build diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cb930de..60a8ad2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,7 +15,7 @@ jobs: node-version: 14.17.6 - name: install node_modules - run: npm install + run: npm install --ignore-scripts - name: Run tests run: npm run test diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 888ca66..a9d4927 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,7 +20,7 @@ jobs: with: node-version: 14.17.6 registry-url: 'https://registry.npmjs.org' - - run: npm install + - run: npm install --ignore-scripts - name: install modules run: npm install diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000..97b895e --- /dev/null +++ b/.npmrc @@ -0,0 +1 @@ +ignore-scripts=true diff --git a/package.json b/package.json index 0d6d81e..3a8fbe3 100644 --- a/package.json +++ b/package.json @@ -36,57 +36,57 @@ "npm": ">=6.0" }, "devDependencies": { - "@babel/cli": "^7.20.7", - "@babel/core": "^7.9.6", - "@babel/plugin-proposal-class-properties": "^7.10.1", - "@babel/plugin-proposal-decorators": "^7.10.1", - "@babel/plugin-proposal-object-rest-spread": "^7.10.1", - "@babel/plugin-transform-runtime": "^7.10.1", - "@babel/preset-env": "^7.9.6", + "@babel/cli": "7.26.4", + "@babel/core": "7.26.0", + "@babel/plugin-proposal-class-properties": "7.18.6", + "@babel/plugin-proposal-decorators": "7.25.9", + "@babel/plugin-proposal-object-rest-spread": "7.20.7", + "@babel/plugin-transform-runtime": "7.25.9", + "@babel/preset-env": "7.26.0", "@babel/preset-react": "7.12.13", - "@babel/preset-typescript": "^7.10.1", - "@babel/runtime": "^7.26.10", - "@testing-library/jest-dom": "^6.4.5", - "@testing-library/react": "^13.0.0", - "@types/jest": "^29.5.12", - "@types/jquery-mask-plugin": "^1.14.3", - "@types/minimatch": "^3.0.5", - "@types/node": "^14.0.5", - "@types/react": "^18.0.14", - "@typescript-eslint/eslint-plugin": "^5.32.0", - "@typescript-eslint/parser": "^5.32.0", - "babel-loader": "^9.1.2", - "clean-webpack-plugin": "^4.0.0-alpha.0", - "compression-webpack-plugin": "^8.0.1", - "cspell": "^4.2.8", - "eslint": "^8.31.0", - "eslint-config-airbnb-base": "^15.0.0", - "eslint-config-airbnb-typescript": "^16.0.0", - "eslint-config-prettier": "^8.5.0", - "eslint-import-resolver-typescript": "^3.4.0", - "eslint-plugin-import": "^2.25.4", - "eslint-plugin-prettier": "^4.2.1", - "eslint-plugin-react": "^7.30.1", - "eslint-plugin-react-hooks": "^4.6.0", - "fork-ts-checker-webpack-plugin": "^6.3.2", - "html-webpack-plugin": "^5.5.0", - "jest": "^28.1.3", - "jest-environment-jsdom": "^28.1.3", - "prettier": "^2.7.1", - "react": "^18.1.0", - "react-dom": "^18.1.0", - "ts-jest": "^28.0.7", - "typescript": "^4.7.4", - "webpack": "^5.51.1", - "webpack-bundle-analyzer": "^4.4.2", - "webpack-cli": "^5.1.4", - "webpack-dev-server": "^5.2.2", - "webpack-manifest-plugin": "^4.0.2", - "webpack-merge": "^5.8.0" + "@babel/preset-typescript": "7.26.0", + "@babel/runtime": "7.28.2", + "@testing-library/jest-dom": "6.6.3", + "@testing-library/react": "13.4.0", + "@types/jest": "29.5.14", + "@types/jquery-mask-plugin": "1.14.6", + "@types/minimatch": "3.0.5", + "@types/node": "14.18.63", + "@types/react": "18.3.17", + "@typescript-eslint/eslint-plugin": "5.62.0", + "@typescript-eslint/parser": "5.62.0", + "babel-loader": "9.2.1", + "clean-webpack-plugin": "4.0.0", + "compression-webpack-plugin": "8.0.1", + "cspell": "4.2.8", + "eslint": "8.57.1", + "eslint-config-airbnb-base": "15.0.0", + "eslint-config-airbnb-typescript": "16.2.0", + "eslint-config-prettier": "8.10.0", + "eslint-import-resolver-typescript": "3.7.0", + "eslint-plugin-import": "2.31.0", + "eslint-plugin-prettier": "4.2.1", + "eslint-plugin-react": "7.37.2", + "eslint-plugin-react-hooks": "4.6.2", + "fork-ts-checker-webpack-plugin": "6.5.3", + "html-webpack-plugin": "5.6.3", + "jest": "28.1.3", + "jest-environment-jsdom": "28.1.3", + "prettier": "2.8.8", + "react": "18.3.1", + "react-dom": "18.3.1", + "ts-jest": "28.0.8", + "typescript": "4.9.5", + "webpack": "5.97.1", + "webpack-bundle-analyzer": "4.10.2", + "webpack-cli": "5.1.4", + "webpack-dev-server": "5.2.2", + "webpack-manifest-plugin": "4.1.1", + "webpack-merge": "5.10.0" }, "dependencies": { - "skyflow-js": "^2.4.4", - "uuid": "^9.0.0" + "skyflow-js": "2.4.4", + "uuid": "9.0.1" }, "peerDependencies": { "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0", diff --git a/samples/SkyflowElements/.npmrc b/samples/SkyflowElements/.npmrc new file mode 100644 index 0000000..97b895e --- /dev/null +++ b/samples/SkyflowElements/.npmrc @@ -0,0 +1 @@ +ignore-scripts=true From 54c773c1bf3bcbe9d00c8abe1710cc6b42719334 Mon Sep 17 00:00:00 2001 From: saileshwar-skyflow Date: Thu, 4 Jun 2026 23:44:36 +0530 Subject: [PATCH 2/2] SK-2389: add cap for skyflow-js --- package.json | 2 +- samples/SkyflowElements/.npmrc | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 samples/SkyflowElements/.npmrc diff --git a/package.json b/package.json index 3a8fbe3..c3c69eb 100644 --- a/package.json +++ b/package.json @@ -85,7 +85,7 @@ "webpack-merge": "5.10.0" }, "dependencies": { - "skyflow-js": "2.4.4", + "skyflow-js": "^2.7.8", "uuid": "9.0.1" }, "peerDependencies": { diff --git a/samples/SkyflowElements/.npmrc b/samples/SkyflowElements/.npmrc deleted file mode 100644 index 97b895e..0000000 --- a/samples/SkyflowElements/.npmrc +++ /dev/null @@ -1 +0,0 @@ -ignore-scripts=true