chore: pin docker images and npm deps with CI enforcement#117
Merged
CaseyHoover merged 2 commits intomainfrom May 9, 2026
Merged
chore: pin docker images and npm deps with CI enforcement#117CaseyHoover merged 2 commits intomainfrom
CaseyHoover merged 2 commits intomainfrom
Conversation
Closes #106. Two recent CI breakages traced to upstream rebuilds of floating tags motivated a no-floating-refs stance across the repo. - Pin postgres base image to major.minor (17.9-alpine). - Convert all package.json ranges from `^` to `~`, anchored to the currently-resolved version so installs don't downgrade. Bumps manifests for tsup, tsx, openapi-typescript, and recharts to match the lockfile. - Add scripts/check-pinning.mjs to enforce both rules; wire it into CI as `pnpm lint:pinning`. - Document the policy in AGENTS.md. GitHub Actions are already SHA-pinned and enforced via the repo's "Require actions pinned to SHA" setting, so no extra lint there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
CodeQL flagged js/redos on the inner `([.+-][A-Za-z0-9._+-]+)*` group: the prefix character set overlapped the inner character set, so a string like "0.0+++++..." had exponentially many parses. Replace the unbounded suffix repetition with a single optional run `(?:[._-][A-Za-z0-9._-]*)?`. No matchable tag changes — `17.9-alpine`, `17.9.1-alpine`, `20.0-bookworm-slim`, and `@sha256:…` digests all still accept; `17-alpine`, `latest`, and untagged images still reject. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
🎉 This PR is included in version 1.0.5 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #106.
Summary
17.9-alpine(the floating17-alpinetag was the same class of risk as thenode:26-slimrebuild that hung CI on PRs docs: add bug report and feature request issue templates #99/chore(devcontainer): only install chromium for playwright #100/ci: cap every workflow job at 10 minutes #102).package.jsonrange from^to~, anchored to the version that was actually installed pre-change (manifest bumps fortsup,tsx,openapi-typescript,recharts). No top-level resolved versions changed inpnpm-lock.yaml.scripts/check-pinning.mjswalks allpackage.json,Dockerfile, anddocker-compose*.yamlfiles. Rejects^,*,latest, bare-major (~25), and floating Docker tags (17-alpine). Allows exact pins,~major.minor.patch,workspace:*/link:/file:/npm:aliases (alias version is also checked), git/http URLs, and@sha256:…digests.pnpm lint:pinningahead of the main lint step.AGENTS.md.GitHub Actions are already SHA-pinned and enforced at the repo-settings level ("Require actions pinned to SHA"), so no extra lint is needed there.
Test plan
pnpm lint:pinningpasses on this branchpnpm lint,pnpm build,pnpm format:checkall green^,*,latest,~25,npm:foo@^1.2.3,postgres:17-alpine,node:26-slim, untagged images~1.2.3,1.2.3,~1.2.3-rc.1,workspace:*,npm:foo@~1.2.3,postgres:17.9-alpine,@sha256:…🤖 Generated with Claude Code