Skip to content

fix(security): Package hygiene & pre-publish gate hardening [L-03, L-12]#18

Open
riaworks wants to merge 1 commit intothiagofinch:mainfrom
riaworks:chore/package-hygiene
Open

fix(security): Package hygiene & pre-publish gate hardening [L-03, L-12]#18
riaworks wants to merge 1 commit intothiagofinch:mainfrom
riaworks:chore/package-hygiene

Conversation

@riaworks
Copy link

@riaworks riaworks commented Mar 2, 2026

Summary

  • L-03: Synced package-lock.json version from 1.1.1 to 1.3.0 to match package.json
  • L-12: Changed pre-publish gate layer validation catch block from warn-only to fail-closed, consistent with the file's stated design principle ("fail-CLOSED — if scanning fails, publish is BLOCKED")

Security Impact

  • L-03 prevents version confusion during npm ci installs
  • L-12 closes a bypass vector where a missing Python runtime would silently skip L1 layer validation, allowing non-L1 content to be published

Files Changed

File Change
package-lock.json Version synced 1.1.1 → 1.3.0
bin/pre-publish-gate.js Layer validation catch: warn → fail-closed

Test Plan

  • Verify npm ci succeeds without warnings
  • Verify npm pack --dry-run output unchanged
  • Verify node bin/pre-publish-gate.js blocks when Python unavailable
  • Verify normal publish flow still works when all deps present

Frameworks

  • OWASP LLM09 (Supply Chain Vulnerabilities)
  • MITRE ATLAS AML.T0010 (ML Supply Chain Compromise)

🤖 Generated with Claude Code

@riaworks @claude
fix(security): sync package-lock.json version and harden pre-publish …
8fec71b 
…gate

L-03: package-lock.json was at v1.1.1 while package.json at v1.3.0.
Ran npm install --package-lock-only to sync versions.

L-12: Layer validation in pre-publish-gate.js was warn-only on error,
contradicting the file's own fail-CLOSED design. Changed catch block
to block publish when validation cannot run (e.g., missing Python 3),
preventing potential bypass of L1 layer checks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@riaworks riaworks requested a review from thiagofinch as a code owner March 2, 2026 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thiagofinch thiagofinch Awaiting requested review from thiagofinch thiagofinch is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@riaworks