Missing lock file and mutable dist-tag on @airtable/blocks create supply chain risk

[Augmaster]

Summary

The repository [Airtable/interface-extensions-word-cloud-typescript](https://github.com/Airtable/interface-extensions-word-cloud-typescript) lacks a package-lock.json (or equivalent lock file). All production dependencies use unpinned caret (^) ranges, and the core SDK dependency @airtable/blocks uses a mutable npm dist-tag ("interface-alpha"). This makes every npm install non-deterministic and opens a supply chain attack vector (CWE-829).

Severity

Low: The blast radius is mitigated by Airtable's sandboxed iframe extension environment, but the risk is real for anyone forking, building, or extending this project.

Steps to Reproduce

1. Clone the repository:

   git clone https://github.com/Airtable/interface-extensions-word-cloud-typescript.git
   

2. Confirm no lock file exists:

   ls package-lock.json yarn.lock pnpm-lock.yaml
   

   None of these files are present.
3. Inspect package.json, note the unpinned dependency ranges:

   {
     "dependencies": {
       "@airtable/blocks": "interface-alpha",
       "d3": "^7.9.0",
       "d3-cloud": "^1.2.8",
       "react": "^19.1.0",
       "react-dom": "^19.1.0"
     }
   }

4. Run npm install twice on different dates or machines. Compare node_modules, resolved versions may differ because no lock file pins them.

Impact

• Supply chain attack vector: A compromised patch or minor release of any dependency (or a malicious re-tag of the interface-alpha dist-tag) would be silently pulled in on the next npm install. Developers and CI systems building this extension could unknowingly execute malicious code.
• Non-reproducible builds: Two developers or CI runs may resolve entirely different dependency trees, making it impossible to guarantee what code is actually being shipped.
• Mutable dist-tag risk: The "@airtable/blocks": "interface-alpha" specifier resolves to whatever version the interface-alpha tag currently points to on npm. If this tag is re-pointed (intentionally or via a compromised npm account), all consumers silently receive the new version.

Suggested Remediation

1. Run npm install and commit the resulting package-lock.json to the repository.
2. Pin @airtable/blocks to a specific semver version (e.g., "@airtable/blocks": "0.x.y") instead of using the mutable interface-alpha dist-tag.
3. Add npm audit to the CI pipeline to catch newly disclosed CVEs automatically.

Supporting Materials / References

• [CWE-829: Inclusion of Functionality from Untrusted Control Sphere](https://cwe.mitre.org/data/definitions/829.html)
• [npm lock file documentation](https://docs.npmjs.com/cli/v10/configuring-npm/package-lock-json)
• [Backstabber's Knife Collection, supply chain attacks on npm](https://arxiv.org/abs/2005.09535)