From Infosec's review of the codebase:
ECLI-001
CI uses npm install instead of npm ci — Medium
Problem
Three bare npm install calls in CI workflows should be npm ci to enforce lockfile integrity:
npm install can silently rewrite package-lock.json and resolves the latest versions matching each ^-range; npm ci uses the lockfile exactly and fails on drift.
Fix
Swap all three run: npm install lines to run: npm ci. Prioritize release.yml:45 — a non-reproducible install in the publish path is the most consequential of the three.
Risk
Medium. The release occurrence is the most consequential — npm install in the publish path can resolve a drifted (typosquatted or compromised) transitive dep and ship it to the registry before lockfile divergence is caught. The two CI occurrences are lower stakes.
From Infosec's review of the codebase:
ECLI-001
CI uses
npm installinstead ofnpm ci— MediumProblem
Three bare
npm installcalls in CI workflows should benpm cito enforce lockfile integrity:.github/workflows/ci.yml:32—test-nodeinstall step.github/workflows/ci.yml:44—license-headerinstall step.github/workflows/release.yml:45— release publish step (highest priority)npm installcan silently rewritepackage-lock.jsonand resolves the latest versions matching each^-range;npm ciuses the lockfile exactly and fails on drift.Fix
Swap all three
run: npm installlines torun: npm ci. Prioritizerelease.yml:45— a non-reproducible install in the publish path is the most consequential of the three.Risk
Medium. The release occurrence is the most consequential —
npm installin the publish path can resolve a drifted (typosquatted or compromised) transitive dep and ship it to the registry before lockfile divergence is caught. The two CI occurrences are lower stakes.