Secure tsp-client usage by using pinned version from package-lock.json

Copilot · raych1 · azure-sdk · commit d846de95cf71 · 2025-10-07T20:58:39.000Z
Co-authored-by: raych1 &lt;20296335+raych1@users.noreply.github.com&gt;
diff --git a/eng/common/pipelines/templates/archetype-typespec-emitter.yml b/eng/common/pipelines/templates/archetype-typespec-emitter.yml
@@ -259,24 +259,38 @@ extends:
             displayName: Download pipeline artifacts
 
           - pwsh: |
-              npm install -g @azure-tools/typespec-client-generator-cli@latest
+              Push-Location eng/common/tsp-client
+              try {
+                npm ci
+              } finally {
+                Pop-Location
+              }
             displayName: Install tsp-client
 
           - pwsh: |
               Write-Host "Overrides location: $(buildArtifactsPath)/packages/overrides.json"
 
               if (Test-Path -Path '$(buildArtifactsPath)/packages/overrides.json') {
                 Write-Host "Using overrides.json to generate emitter-package.json"
-                tsp-client generate-config-files `
-                --package-json '$(buildArtifactsPath)/lock-files/package.json' `
-                --emitter-package-json-path '${{ parameters.EmitterPackageJsonOutputPath }}' `
-                --overrides '$(buildArtifactsPath)/packages/overrides.json'
+                Push-Location eng/common/tsp-client
+                try {
+                  npm exec --no -- tsp-client generate-config-files `
+                  --package-json '$(buildArtifactsPath)/lock-files/package.json' `
+                  --emitter-package-json-path '$(Build.SourcesDirectory)/${{ parameters.EmitterPackageJsonOutputPath }}' `
+                  --overrides '$(buildArtifactsPath)/packages/overrides.json'
+                } finally {
+                  Pop-Location
+                }
               } else {
                 Write-Host "No overrides.json found. Running tsp-client without overrides."
-
-                tsp-client generate-config-files `
-                --package-json '$(buildArtifactsPath)/lock-files/package.json' `
-                --emitter-package-json-path '${{ parameters.EmitterPackageJsonOutputPath }}'
+                Push-Location eng/common/tsp-client
+                try {
+                  npm exec --no -- tsp-client generate-config-files `
+                  --package-json '$(buildArtifactsPath)/lock-files/package.json' `
+                  --emitter-package-json-path '$(Build.SourcesDirectory)/${{ parameters.EmitterPackageJsonOutputPath }}'
+                } finally {
+                  Pop-Location
+                }
               }
             displayName: Generate emitter-package.json and emitter-package-lock files
             workingDirectory: $(Build.SourcesDirectory)
