chore: restore package-lock.json and use npm ci in CI#941
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (7)
💤 Files with no reviewable changes (1)
🚧 Files skipped from review as they are similar to previous changes (5)
📝 WalkthroughWalkthroughCI actions and workflows now use ChangesNode.js CI installation updates
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
a327b11 to
c0ac7a4
Compare
|
Semgrep found 1 Risk: Affected versions of vite and vite-plus are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Vite's server.fs.deny blocklist—which protects sensitive files such as .env and certificate files from being served—can be bypassed on Windows using alternate path representations (NTFS Alternate Data Stream syntax like Manual Review Advice: A vulnerability from this advisory is reachable if you expose the Vite dev server or vite-plus to the network by configuring a non-loopback address using the --host CLI flag on Windows Fix: Upgrade this library to at least version 6.4.3 at auth0-angular/package-lock.json:21361. Reference(s): GHSA-fx2h-pf6j-xcff Semgrep found 1 Risk: Affected versions of @babel/plugin-transform-modules-systemjs are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') / Improper Control of Generation of Code ('Code Injection'). @babel/plugin-transform-modules-systemjs mishandles module string specifiers when compiling code into SystemJS module form. An attacker who can supply specially crafted source code to a Babel build that uses this plugin (directly, or transitively via @babel/preset-env configured with Manual Review Advice: A vulnerability from this advisory is reachable if you install Fix: Upgrade this library to at least version 7.29.4 at auth0-angular/package-lock.json:2735. Reference(s): GHSA-fv7c-fp4j-7gwp, CVE-2026-44728 |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/actions/npm-publish/action.yml:
- Around line 31-34: Update the npm installation step in the npm publish action
to use a version that is published and available from the registry, or remove
the upgrade and rely on the bundled npm. Preserve the step’s purpose of
providing a working npm version for publishing.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 39ad342c-1c11-4510-9c9b-898b286ab4e4
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (7)
.github/actions/build/action.yml.github/actions/npm-publish/action.yml.github/workflows/cross-browser.yml.github/workflows/snyk.yml.github/workflows/test.yml.gitignore.npmrc
💤 Files with no reviewable changes (1)
- .gitignore
- Add omit-lockfile-registry-resolved=true to .npmrc to strip internal registry URLs from lockfile - Un-ignore package-lock.json so it is tracked in version control - Pin actions/setup-node to SHA and add cache: npm across all workflows - Replace npm i with npm ci for deterministic installs
ac51f14 to
56862fa
Compare
|
@yogeshchoudhary147 Please do review the snyk failure also. I understand it might not be due to changes in this PR but worth noting and taking an action item. |
Summary
omit-lockfile-registry-resolved=trueto.npmrcso internal registry URLs are stripped from the lockfile before commitpackage-lock.jsonfrom.gitignoreand restores it to version control for deterministic installsactions/setup-nodeto a SHA and addscache: npmacross all workflowsnpm iwithnpm ciin all CI jobs to ensure installs match the lockfile exactlySummary by CodeRabbit
Build & Reliability
npm itonpm ciacross build, tests, publishing, security checks, and cross-browser runs for more consistent results.Configuration
package-lock.jsonby removing the ignore rule.