You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Even though this isn't a deployed JS package, the authoring environment relies on package.json. An outdated package-lock.json introduces CI/CD vulnerabilities and build drift that will break the PR checks.
Tasks
Run npm audit to clear out outstanding CVEs in devDependencies.
Implement/verify .github/dependabot.yml is configured specifically for the npm ecosystem to keep the linters up to date automatically.
Verify that all GitHub Actions use npm ci strictly instead of npm install to guarantee reproducible linting runs.
Context
Even though this isn't a deployed JS package, the authoring environment relies on
package.json. An outdatedpackage-lock.jsonintroduces CI/CD vulnerabilities and build drift that will break the PR checks.Tasks
npm auditto clear out outstanding CVEs indevDependencies..github/dependabot.ymlis configured specifically for thenpmecosystem to keep the linters up to date automatically.npm cistrictly instead ofnpm installto guarantee reproducible linting runs.