ci: pin @electron/lint-roller via yarn.lock

[MarshallOfSound]

Replaces the npm init --yes + npm install + npx dance with the standard electron org yarn setup (vendored .yarn/releases/yarn-4.10.3.cjs, yarn.lock, --immutable install).

The previous approach:

- run: npm init --yes
- run: npm install --save-dev @electron/lint-roller@^2.1.0
- run: npx electron-markdownlint "**/*.md"
- run: npx lint-roller-markdown-links ...

No lockfile — ^2.1.0 resolves fresh every run. And electron-markdownlint / lint-roller-markdown-links are bin names exposed by @electron/lint-roller, not package names. Both are currently 404 on npm — but if someone registered them, and the install step ever failed (or lint-roller renamed a bin in a minor bump), npx falls through to fetching the attacker's package with GITHUB_TOKEN in env.

Now:

- run: yarn install --immutable
- run: yarn electron-markdownlint "**/*.md"

yarn <bin> fails closed if the bin isn't in node_modules/.bin. Same lint-roller ^2.1.0 constraint (resolved to 2.4.0 in the lockfile) so lint behavior is unchanged.

.yarnrc.yml matches the rest of the org (enableScripts: false, npmMinimalAgeGate: 10080, @electron/* preapproved).

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​electron/​lint-roller@​2.4.0

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

• @dsanders11/vscode-markdown-languageservice@0.3.0
• @electron/lint-roller@2.4.0
• ajv@8.18.0
• ajv@6.14.0
• balanced-match@2.0.0
• balanced-match@1.0.2
• @eslint-community/eslint-utils@4.9.1
• @eslint-community/regexpp@4.12.2
• @eslint/eslintrc@2.1.4
• @eslint/js@8.57.1
• @humanwhocodes/config-array@0.13.0
• @humanwhocodes/module-importer@1.0.1
• @humanwhocodes/object-schema@2.0.3
• @isaacs/cliui@8.0.2
• @nodelib/fs.scandir@2.1.5
• @nodelib/fs.stat@2.0.5
• @nodelib/fs.walk@1.2.8
• @pkgjs/parseargs@0.11.0
• @rtsao/scc@1.1.0
• @types/debug@4.1.13
• @types/hast@3.0.4
• @types/json5@0.0.29
• @types/mdast@3.0.15
• @types/unist@2.0.11
• @types/unist@3.0.3
• @types/ms@2.1.0
• @ungap/structured-clone@1.3.0
• @vscode/l10n@0.0.10
• acorn@8.16.0
• acorn-jsx@5.3.2
• json-schema-traverse@0.4.1
• json-schema-traverse@1.0.0
• ansi-regex@6.2.2
• ansi-regex@5.0.1
• ansi-styles@6.2.3
• ansi-styles@4.3.0
• argparse@2.0.1
• array-buffer-byte-length@1.0.2
• array-includes@3.1.9
• array.prototype.findlast@1.2.5
• array.prototype.findlastindex@1.2.6
• array.prototype.flat@1.3.3
• array.prototype.flatmap@1.3.3
• array.prototype.tosorted@1.1.4
• arraybuffer.prototype.slice@1.0.4
• async-function@1.0.0
• async-generator-function@1.0.0
• available-typed-arrays@1.0.7
• brace-expansion@2.0.2
• brace-expansion@1.1.12
• builtins@5.1.0
• semver@7.7.4
• semver@6.3.1
• call-bind@1.0.8
• call-bind-apply-helpers@1.0.2
• call-bound@1.0.4
• callsites@3.1.0
• chalk@4.1.2
• character-entities@2.0.2
• color-convert@2.0.1
• color-name@1.1.4
• comma-separated-tokens@2.0.3
• commander@12.0.0
• concat-map@0.0.1
• cross-spawn@7.0.6
• data-view-buffer@1.0.2
• data-view-byte-length@1.0.2
• data-view-byte-offset@1.0.1
• debug@4.4.3
• debug@3.2.7
• decode-named-character-reference@1.3.0
• deep-extend@0.6.0
• deep-is@0.1.4
• define-data-property@1.1.4
• define-properties@1.2.1
• dequal@2.0.3
• devlop@1.1.0
• diff@5.2.2
• doctrine@2.1.0
• doctrine@3.0.0
• dunder-proto@1.0.1
• eastasianwidth@0.2.0
• emoji-regex@9.2.2
• entities@6.0.1
• entities@3.0.1
• entities@4.5.0
• error-ex@1.3.4
• es-abstract@1.24.1
• es-define-property@1.0.1
• es-errors@1.3.0
• es-iterator-helpers@1.3.1
• es-object-atoms@1.1.1
• es-set-tostringtag@2.1.0
• es-shim-unscopables@1.1.0
• es-to-primitive@1.3.0
• escape-string-regexp@4.0.0
• eslint@8.57.1
• eslint-config-standard@17.1.0
• eslint-config-standard-jsx@11.0.0
• eslint-import-resolver-node@0.3.9
• eslint-module-utils@2.12.1
• eslint-plugin-es@4.1.0
• eslint-plugin-import@2.32.0
• eslint-plugin-n@15.7.0
• eslint-utils@3.0.0
• eslint-utils@2.1.0
• eslint-visitor-keys@2.1.0
• eslint-visitor-keys@1.3.0
• eslint-visitor-keys@3.4.3
• eslint-plugin-promise@6.6.0
• eslint-plugin-react@7.37.5
• resolve@2.0.0-next.6
• resolve@1.22.11
• eslint-scope@7.2.2
• strip-ansi@6.0.1
• strip-ansi@7.2.0
• espree@9.6.1
• esquery@1.7.0
• esrecurse@4.3.0
• estraverse@5.3.0
• esutils@2.0.3
• fast-deep-equal@3.1.3
• fast-json-stable-stringify@2.1.0
• fast-levenshtein@2.0.6
• fast-uri@3.1.0
• fastq@1.20.1
• file-entry-cache@6.0.1
• find-up@5.0.0
• find-up@3.0.0
• flat-cache@3.2.0
• glob@7.2.3
• glob@8.1.0
• glob@10.3.16
• glob@9.3.5
• rimraf@3.0.2
• rimraf@4.4.1
• flatted@3.4.2
• for-each@0.3.5
• foreground-child@3.3.1
• fs.realpath@1.0.0
• function-bind@1.1.2
• function.prototype.name@1.1.8
• functions-have-names@1.2.3
• generator-function@2.0.1
• get-intrinsic@1.3.1
• get-proto@1.0.1
• get-stdin@9.0.0
• get-stdin@8.0.0
• get-symbol-description@1.1.0
• glob-parent@6.0.2
• minimatch@5.1.9
• minimatch@9.0.9
• minimatch@3.1.5
• minimatch@8.0.7
• globals@13.24.0
• globalthis@1.0.4
• gopd@1.2.0
• graceful-fs@4.2.11
• graphemer@1.4.0
• has-bigints@1.1.0
• has-flag@4.0.0
• has-property-descriptors@1.0.2
• has-proto@1.2.0
• has-symbols@1.1.0
• has-tostringtag@1.0.2
• hasown@2.0.2
• hast-util-from-html@2.0.3
• hast-util-from-parse5@8.0.3
• hast-util-parse-selector@4.0.0
• hastscript@9.0.1
• ignore@5.3.2
• import-fresh@3.3.1
• imurmurhash@0.1.4
• inflight@1.0.6
• inherits@2.0.4
• ini@4.1.3
• internal-slot@1.1.0
• is-array-buffer@3.0.5
• is-arrayish@0.2.1
• is-async-function@2.1.1
• is-bigint@1.1.0
• is-boolean-object@1.2.2
• is-callable@1.2.7
• is-core-module@2.16.1
• is-data-view@1.0.2
• is-date-object@1.1.0
• is-extglob@2.1.1
• is-finalizationregistry@1.1.1
• is-generator-function@1.1.2
• is-glob@4.0.3
• is-map@2.0.3
• is-negative-zero@2.0.3
• is-number-object@1.1.1
• is-path-inside@3.0.3
• is-regex@1.2.1
• is-set@2.0.3
• is-shared-array-buffer@1.0.4
• is-string@1.1.1
• is-symbol@1.1.1
• is-typed-array@1.1.15
• is-weakmap@2.0.2
• is-weakref@1.1.1
• is-weakset@2.0.4
• isarray@2.0.5
• isexe@2.0.0
• iterator.prototype@1.1.5
• jackspeak@3.4.3
• js-tokens@4.0.0
• js-yaml@4.1.1
• json-buffer@3.0.1
• json-parse-better-errors@1.0.2
• json-stable-stringify-without-jsonify@1.0.1
• json5@1.0.2
• jsonc-parser@3.2.1
• jsonpointer@5.0.1
• jsx-ast-utils@3.3.5
• keyv@4.5.4
• kleur@4.1.5
• levn@0.4.1
• linkify-it@4.0.1
• linkify-it@5.0.0
• load-json-file@5.3.0
• type-fest@0.3.1
• type-fest@0.20.2
• locate-path@6.0.0
• locate-path@3.0.0
• lodash.merge@4.6.2
• loose-envify@1.4.0
• lru-cache@10.4.3
• markdown-it@13.0.2
• markdown-it@14.1.0
• markdownlint@0.34.0
• markdownlint-cli@0.40.0
• markdownlint-micromark@0.1.9
• mdurl@2.0.0
• mdurl@1.0.1
• uc.micro@2.1.0
• uc.micro@1.0.6
• math-intrinsics@1.1.0
• mdast-util-from-markdown@1.3.1
• unist-util-stringify-position@3.0.3
• unist-util-stringify-position@4.0.0
• mdast-util-to-string@3.2.0
• micromark@3.2.0
• micromark-core-commonmark@1.1.0
• micromark-factory-destination@1.1.0
• micromark-factory-label@1.1.0
• micromark-factory-space@1.1.0
• micromark-factory-title@1.1.0
• micromark-factory-whitespace@1.1.0
• micromark-util-character@1.2.0
• micromark-util-chunked@1.1.0
• micromark-util-classify-character@1.1.0
• micromark-util-combine-extensions@1.1.0
• micromark-util-decode-numeric-character-reference@1.1.0
• micromark-util-decode-string@1.1.0
• micromark-util-encode@1.1.0
• micromark-util-html-tag-name@1.2.0
• micromark-util-normalize-identifier@1.1.0
• micromark-util-resolve-all@1.1.0
• micromark-util-sanitize-uri@1.2.0
• micromark-util-subtokenize@1.1.0
• micromark-util-symbol@1.1.0
• micromark-util-types@1.1.0
• minimist@1.2.8
• minipass@7.1.3
• minipass@4.2.8
• mri@1.2.0
• ms@2.1.3
• natural-compare@1.4.0
• node-exports-info@1.6.0
• object-assign@4.1.1
• object-inspect@1.13.4
• object-keys@1.1.1
• object.assign@4.1.7
• object.entries@1.1.9
• object.fromentries@2.0.8
• object.groupby@1.0.3
• object.values@1.2.1
• once@1.4.0
• optionator@0.9.4
• own-keys@1.0.1
• p-limit@3.1.0
• p-limit@2.3.0
• p-locate@5.0.0
• p-locate@3.0.0
• p-try@2.2.0
• parent-module@1.0.1
• parse-json@4.0.0
• parse5@7.3.0
• path-exists@4.0.0
• path-exists@3.0.0
• path-is-absolute@1.0.1
• path-key@3.1.1
• path-parse@1.0.7
• path-scurry@1.11.1
• picomatch@2.3.2
• pify@4.0.1
• pkg-conf@3.1.0
• possible-typed-array-names@1.1.0
• prelude-ls@1.2.1
• prop-types@15.8.1
• property-information@7.1.0
• punycode@2.3.1
• punycode.js@2.3.1
• queue-microtask@1.2.3
• react-is@16.13.1
• reflect.getprototypeof@1.0.10
• regexp.prototype.flags@1.5.4
• regexpp@3.2.0
• require-from-string@2.0.2
• resolve-from@4.0.0
• reusify@1.1.0
• run-con@1.3.2
• run-parallel@1.2.0
• sade@1.8.1
• safe-array-concat@1.1.3
• safe-push-apply@1.0.0
• safe-regex-test@1.1.0
• set-function-length@1.2.2
• set-function-name@2.0.2
• set-proto@1.0.0
• shebang-command@2.0.0
• shebang-regex@3.0.0
• side-channel@1.1.0
• side-channel-list@1.0.0
• side-channel-map@1.0.1
• side-channel-weakmap@1.0.2
• signal-exit@4.1.0
• space-separated-tokens@2.0.2
• standard@17.1.2
• standard-engine@15.1.0
• stop-iteration-iterator@1.1.0
• string-width@5.1.2
• string.prototype.matchall@4.0.12
• string.prototype.repeat@1.0.0
• string.prototype.trim@1.2.10
• string.prototype.trimend@1.0.9
• string.prototype.trimstart@1.0.8
• strip-bom@3.0.0
• strip-json-comments@3.1.1
• supports-color@7.2.0
• supports-preserve-symlinks-flag@1.0.0
• text-table@0.2.0
• toml@3.0.0
• tsconfig-paths@3.15.0
• type-check@0.4.0
• typed-array-buffer@1.0.3
• typed-array-byte-length@1.0.3
• typed-array-byte-offset@1.0.4
• typed-array-length@1.0.7
• unbox-primitive@1.1.0
• unist-util-is@5.2.1
• unist-util-visit@4.1.2
• unist-util-visit-parents@5.1.3
• uri-js@4.4.1
• uvu@0.5.6
• version-guard@1.1.3
• vfile@6.0.3
• vfile-location@5.0.3
• vfile-message@4.0.3
• vscode-jsonrpc@8.1.0
• vscode-languageserver@8.1.0
• vscode-languageserver-protocol@3.17.3
• vscode-languageserver-types@3.17.3
• vscode-languageserver-types@3.17.5
• vscode-languageserver-textdocument@1.0.12
• vscode-uri@3.1.0
• web-namespaces@2.0.1
• which@2.0.2
• which-boxed-primitive@1.1.1
• which-builtin-type@1.2.1
• which-collection@1.0.2
• which-typed-array@1.1.20
• word-wrap@1.2.5
• wrap-ansi@8.1.0
• wrappy@1.0.2
• xdg-basedir@4.0.0
• yaml@2.8.3
• yocto-queue@0.1.0

View full report

[MarshallOfSound]

@SocketSecurity ignore-all