diff --git a/.github/workflows/ci-js.yml b/.github/workflows/ci-js.yml index 2b80d99a8e..b8e49b37e0 100644 --- a/.github/workflows/ci-js.yml +++ b/.github/workflows/ci-js.yml @@ -31,7 +31,7 @@ jobs: node-version: ${{ matrix.node-version }} cache: 'npm' - name: Install dependencies - run: npm install + run: npm ci - name: Run JavaScript tests env: JEST_JUNIT_OUTPUT_DIR: ${{ env.REPORT_DIR }} @@ -54,7 +54,7 @@ jobs: node-version: ${{ matrix.node-version }} cache: 'npm' - name: Install dependencies - run: npm install + run: npm ci - name: Run JavaScript tests run: npm run test:coverage -- --reporter=default --reporter=junit --outputFile=${{ env.REPORT_DIR }}/test-report.xml - name: Submit test coverage to codecov.io @@ -79,7 +79,7 @@ jobs: node-version: ${{ matrix.node-version }} cache: 'npm' - name: Install dependencies - run: npm install + run: npm ci - name: Cache ESLint uses: actions/cache@v5 with: @@ -112,7 +112,7 @@ jobs: node-version: ${{ matrix.node-version }} cache: 'npm' - name: Install dependencies - run: npm install + run: npm ci - name: Run TypeScript typecheck run: npm run type-check @@ -131,7 +131,7 @@ jobs: node-version: ${{ matrix.node-version }} cache: 'npm' - name: Install dependencies - run: npm install + run: npm ci - name: Check if translations need an update id: check run: npm run i18n-extract -- --ci @@ -155,7 +155,7 @@ jobs: node-version: ${{ matrix.node-version }} cache: 'npm' - name: Install dependencies - run: npm install + run: npm ci - name: Check code formatting id: check run: | diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ad28f3fbd9..ce1bf559e6 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,10 +1,10 @@ -name: "CodeQL" +name: 'CodeQL' on: push: - branches: [ main, stable, oldstable ] + branches: [main, stable, oldstable] pull_request: - branches: [ main, stable, oldstable ] + branches: [main, stable, oldstable] paths-ignore: - '**/*.md' - '**/*.txt' @@ -13,7 +13,7 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true + cancel-in-progress: true jobs: analyze: @@ -27,22 +27,22 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'javascript' ] + language: ['javascript'] steps: - - name: Checkout repository - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: ${{ matrix.language }} - # build between init and analyze ... - - name: Install node - uses: actions/setup-node@v6 - with: - cache: "npm" - - name: Install dependencies - run: npm install - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + # build between init and analyze ... + - name: Install node + uses: actions/setup-node@v6 + with: + cache: 'npm' + - name: Install dependencies + run: npm ci + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b1e8b35e5c..4aded1033e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true + cancel-in-progress: true jobs: release: @@ -96,7 +96,7 @@ jobs: node-version: '22' cache: 'npm' - name: Install npm dependencies - run: npm install + run: npm ci - name: Build dist files run: npm run build - name: Create tarballs diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000000..368b95eca5 --- /dev/null +++ b/.npmrc @@ -0,0 +1,10 @@ +# Hardening direct dependencies: pinned versions are saved instead of ranges (^/~) +save-exact=true + +# Supply Chain Quarantine: Blocks packages released within the last 7 days to mitigate "zero-day" compromises. +# NOTE: To pull an urgent security patch released today, temporarily lower this value or comment it out. +min-release-age=7 + +# Malware Mitigation: Strictly blocks all post-install lifecycle scripts from dependencies. +# NOTE: If a trusted package breaks because it requires scripts, you may need to run its script manually. +ignore-scripts=true diff --git a/package.json b/package.json index a2134563f1..ac8567806c 100644 --- a/package.json +++ b/package.json @@ -13,7 +13,7 @@ "type": "git", "url": "https://github.com/greenbone/gsa/" }, - "author": "Bj\u00f6rn Ricks ", + "author": "Björn Ricks ", "license": "AGPL-3.0+", "type": "module", "scripts": { @@ -30,10 +30,11 @@ "i18n-extract": "i18next-cli extract", "type-check": "tsc --noEmit", "type-check:watch": "tsc --noEmit --watch", - "clear:node_modules": "rm -rf node_modules && npm install" + "clear:node_modules": "rm -rf node_modules && npm ci" }, "engines": { - "node": ">=22.0" + "node": ">=22.0", + "npm": ">=11.0" }, "dependencies": { "@dnd-kit/helpers": "^0.3.2", @@ -119,4 +120,4 @@ "vite-plugin-svgr": "^5.2.0", "vitest": "^4.0.17" } -} \ No newline at end of file +}