Skip to content

fix: pin npm commands by hash in build scripts for supply chain security #7081

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
koralkulacoglu wants to merge 5 commits into from
Closed

fix: pin npm commands by hash in build scripts for supply chain security #7081

koralkulacoglu wants to merge 5 commits into from

Conversation

@koralkulacoglu
Copy link
Contributor

@koralkulacoglu koralkulacoglu commented Sep 24, 2025
edited
Loading

TICKET: DX-1510

Replace unpinned npm install with npm ci across publish scripts to prevent supply chain attacks and ensure reproducible builds.

@koralkulacoglu koralkulacoglu marked this pull request as ready for review September 24, 2025 17:42
@koralkulacoglu koralkulacoglu requested review from a team as code owners September 24, 2025 17:42
@koralkulacoglu koralkulacoglu marked this pull request as draft September 24, 2025 17:56
@koralkulacoglu koralkulacoglu marked this pull request as ready for review September 24, 2025 18:14
lcovar
lcovar previously approved these changes Sep 25, 2025
View reviewed changes
mukeshsp
mukeshsp reviewed Sep 26, 2025
View reviewed changes
Copy link
Contributor

@mukeshsp mukeshsp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix the conflicts and failing tests

louib
louib reviewed Sep 27, 2025
View reviewed changes
Copy link
Contributor

@louib louib left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure those scripts are still used? I think those three modules are published with lerna just like all the other BitGoJS modules

modules/bitgo/scripts/publish.sh Outdated
# install
npm install
# install - generate package-lock.json first, then use npm ci for reproducible builds
npm install --package-lock-only
Copy link
Contributor

@louib louib Sep 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't regenerating a package-lock.json file first defeat the purpose of running npm ci? Why would the package-lock.json file be incomplete at the time of publishing?

Marzooqa
Marzooqa reviewed Sep 29, 2025
View reviewed changes
Copy link
Contributor

@Marzooqa Marzooqa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI failing

@koralkulacoglu koralkulacoglu marked this pull request as draft September 29, 2025 17:43
@koralkulacoglu koralkulacoglu force-pushed the DX-1510-Pin-npm-Commands-by-Hash-in-Build-Scripts branch from 12256c3 to 3f2c274 Compare September 29, 2025 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@louib louib louib left review comments

@mukeshsp mukeshsp mukeshsp left review comments

@Marzooqa Marzooqa Marzooqa left review comments

@OttoAllmendinger OttoAllmendinger OttoAllmendinger left review comments

@lcovar lcovar lcovar left review comments

@mrdanish26 mrdanish26 Awaiting requested review from mrdanish26 mrdanish26 was automatically assigned from BitGo/wallet-platform

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@koralkulacoglu @OttoAllmendinger @louib @mukeshsp @lcovar @Marzooqa