Skip to content
This repository was archived by the owner on Apr 23, 2026. It is now read-only.

Use npm ci instead of npm install in linting workflow#93

Merged
tarebyte merged 3 commits intomainfrom
copilot/fix-code-scanning-alerts
Apr 23, 2026
Merged

Use npm ci instead of npm install in linting workflow#93
tarebyte merged 3 commits intomainfrom
copilot/fix-code-scanning-alerts

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 23, 2026
edited
Loading

npm install standard in the linting workflow is non-deterministic — it can fetch updated versions and mutate package-lock.json, leading to inconsistent CI builds (CWE-829).

Changes

  • .github/workflows/linting.yml: Replace npm install standard with npm ci
    • standard is already a devDependency in package.json, so npm ci installs it (and all deps) from the lockfile — no separate install step needed
    • npm ci enforces lockfile consistency and fails fast if package-lock.json is out of sync with package.json
- - run: npm install standard
+ - run: npm ci

Copilot AI changed the title [WIP] Fix code scanning alert(s) flagged in this repository Use npm ci instead of npm install in linting workflow Apr 23, 2026
Copilot AI requested a review from tarebyte April 23, 2026 17:47
@tarebyte tarebyte marked this pull request as ready for review April 23, 2026 17:54
@tarebyte tarebyte requested a review from a team as a code owner April 23, 2026 17:54
Copilot AI review requested due to automatic review settings April 23, 2026 17:54
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the linting GitHub Actions workflow to use deterministic dependency installation, reducing the risk of CI drift from fetching unintended dependency updates.

Changes:

  • Replaces npm install standard with npm ci in the linting workflow.
  • Relies on the existing package-lock.json and devDependencies (including standard) to ensure reproducible installs.
Show a summary per file
File Description
.github/workflows/linting.yml Switches lint job dependency installation to npm ci for lockfile-driven, deterministic installs.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0

@tarebyte tarebyte requested a review from a team as a code owner April 23, 2026 18:07
@tarebyte tarebyte merged commit d158139 into main Apr 23, 2026
5 checks passed
@tarebyte tarebyte deleted the copilot/fix-code-scanning-alerts branch April 23, 2026 18:10
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

+2 more reviewers

@tarebyte tarebyte tarebyte approved these changes

@lrotschy lrotschy lrotschy approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@tarebyte tarebyte

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tarebyte @lrotschy