KEMBAR78
🐛 check for npm package git URLs by AdamKorcz · Pull Request #4680 · ossf/scorecard · GitHub
Skip to content

🐛 check for npm package git URLs #4680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 4, 2025
Merged

🐛 check for npm package git URLs #4680

merged 5 commits into from
Aug 4, 2025

Conversation

AdamKorcz
Copy link
Contributor

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

What is the current behavior?

Currently Scorecard only check for npm ci to determine whether packages are pinned, however, users can also do that with other URL formats like these.

What is the new behavior (if this is a feature change)?**

Scorecard supports git URLs for npm install

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #4589

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Support git URLs for calls to npm install.

@AdamKorcz AdamKorcz requested a review from a team as a code owner June 27, 2025 10:08
@AdamKorcz AdamKorcz requested review from raghavkaul and spencerschrock and removed request for a team June 27, 2025 10:08
@AdamKorcz AdamKorcz temporarily deployed to integration-test June 27, 2025 10:08 — with GitHub Actions Inactive
@codecov
Copy link

codecov bot commented Jun 27, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 78.57143% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.29%. Comparing base (353ed60) to head (fec2411).
⚠️ Report is 210 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4680      +/-   ##
==========================================
+ Coverage   66.80%   68.29%   +1.48%     
==========================================
  Files         230      249      +19     
  Lines       16602    18923    +2321     
==========================================
+ Hits        11091    12923    +1832     
- Misses       4808     5137     +329     
- Partials      703      863     +160
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

spencerschrock
spencerschrock reviewed Jun 27, 2025
View reviewed changes
@AdamKorcz AdamKorcz temporarily deployed to integration-test June 27, 2025 20:56 — with GitHub Actions Inactive
spencerschrock
spencerschrock reviewed Jun 30, 2025
View reviewed changes
@github-actions
Copy link

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added Stale and removed Stale labels Jul 11, 2025
@github-actions
Copy link

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added the Stale label Jul 22, 2025
AdamKorcz added 4 commits July 23, 2025 17:57
@AdamKorcz
🐛 check for npm package git URLs
2c6145c 
Signed-off-by: Adam Korczynski <adam@adalogics.com>
@AdamKorcz
fix wrong URLs in test
cf9893f 
Signed-off-by: Adam Korczynski <adam@adalogics.com>
@AdamKorcz
use existing regex to validate hash
33e60fc 
Signed-off-by: Adam Korczynski <adam@adalogics.com>
@AdamKorcz
modify prefixes
cdb9961 
Signed-off-by: Adam Korczynski <adam@adalogics.com>
@AdamKorcz AdamKorcz temporarily deployed to integration-test July 23, 2025 17:13 — with GitHub Actions Inactive
@github-actions github-actions bot removed the Stale label Jul 24, 2025
@github-actions
Copy link

github-actions bot commented Aug 3, 2025

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added the Stale label Aug 3, 2025
@justaugustus justaugustus removed the Stale label Aug 3, 2025
spencerschrock
spencerschrock reviewed Aug 4, 2025
View reviewed changes
Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/scdiff generate Pinned-Dependencies

@spencerschrock
Copy link
Member

/scdiff generate Pinned-Dependencies

@github-actions
Copy link

github-actions bot commented Aug 4, 2025

Here's a link to the scdiff run

@spencerschrock spencerschrock enabled auto-merge (squash) August 4, 2025 16:40
@spencerschrock spencerschrock merged commit 51bda92 into ossf:main Aug 4, 2025
38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spencerschrock spencerschrock spencerschrock approved these changes

@raghavkaul raghavkaul Awaiting requested review from raghavkaul raghavkaul is a code owner automatically assigned from ossf/scorecard-maintainers

Assignees

No one assigned

Labels

None yet

Projects

OpenSSF Scorecard
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[npmCommand] npm install github:package.repo#sha is detected as non pinned dependency

3 participants

@AdamKorcz @spencerschrock @justaugustus