From 45799998002fd360d68974ee9a5f97fcf3da081f Mon Sep 17 00:00:00 2001
From: Christian Oliff <christian_oliff@trimble.com>
Date: Mon, 15 Sep 2025 15:03:14 +0900
Subject: [PATCH] Dev Dependency Updates

---
 .cspell.json                          |  1 +
 .github/copilot-instructions.md       |  7 +++++
 .github/workflows/codeql-analysis.yml |  6 ++--
 .github/workflows/ossf-scorecard.yml  | 43 +++++++++++++++++++++++++++
 .github/workflows/publish.yml         |  4 +--
 .github/workflows/super-linter.yml    |  1 -
 htmlhint-server/package-lock.json     | 10 +++----
 htmlhint-server/package.json          |  2 +-
 htmlhint/package-lock.json            | 10 +++----
 htmlhint/package.json                 |  4 +--
 package.json                          |  2 +-
 11 files changed, 70 insertions(+), 20 deletions(-)
 create mode 100644 .github/workflows/ossf-scorecard.yml

diff --git a/.cspell.json b/.cspell.json
index 64ab47b..728320f 100644
--- a/.cspell.json
+++ b/.cspell.json
@@ -10,6 +10,7 @@
     "htmlhintrc",
     "mylang",
     "nvmrc",
+    "ossf",
     "rollup",
     "ruleset",
     "sarif",
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
index c3f5b0a..7180f6f 100644
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -5,3 +5,10 @@
 - All code is formatted with Prettier.
 - All code and comments are in US English.
 - We use TypeScript v5.5.4.
+
+## GitHub Actions
+
+- The GitHub Actions workflows should be placed in the .github/workflows directory.
+- The workflows should be named <workflow-name>.yml.
+- All GitHub Actions should be pinned versions to avoid breaking changes (SHA-1).
+- If using actions/checkout, it should have persist-credentials: false set.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index dc2e03f..4419613 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -32,7 +32,7 @@ jobs:
           persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2
+        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
@@ -41,9 +41,9 @@ jobs:
               - test/*
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2
+        uses: github/codeql-action/autobuild@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
new file mode 100644
index 0000000..491409e
--- /dev/null
+++ b/.github/workflows/ossf-scorecard.yml
@@ -0,0 +1,43 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: "27 12 * * 2"
+  push:
+    branches: ["main"]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a2b8061..d25c074 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -28,12 +28,12 @@ jobs:
       - run: npm run package
 
       - name: Publish to Open VSX Registry
-        uses: HaaLeo/publish-vscode-extension@v2
+        uses: HaaLeo/publish-vscode-extension@ca5561daa085dee804bf9f37fe0165785a9b14db # v2.0.0
         with:
           pat: ${{ secrets.OPEN_VSX_TOKEN }}
 
       - name: Publish to Visual Studio Marketplace
-        uses: HaaLeo/publish-vscode-extension@v2
+        uses: HaaLeo/publish-vscode-extension@ca5561daa085dee804bf9f37fe0165785a9b14db # v2.0.0
         with:
           pat: ${{ secrets.VS_MARKETPLACE_TOKEN }}
           registryUrl: https://marketplace.visualstudio.com
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
index 9ead0fc..e2a275f 100644
--- a/.github/workflows/super-linter.yml
+++ b/.github/workflows/super-linter.yml
@@ -36,7 +36,6 @@ jobs:
           SUPPRESS_POSSUM: true
           VALIDATE_ALL_CODEBASE: false
           VALIDATE_EDITORCONFIG: false
-          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_HTML: false
           VALIDATE_HTML_PRETTIER: false
           VALIDATE_JSCPD: false
diff --git a/htmlhint-server/package-lock.json b/htmlhint-server/package-lock.json
index 11df3f8..538f1c4 100644
--- a/htmlhint-server/package-lock.json
+++ b/htmlhint-server/package-lock.json
@@ -8,7 +8,7 @@
       "name": "htmlhint-server",
       "version": "1.0.0",
       "dependencies": {
-        "htmlhint": "^1.6.3",
+        "htmlhint": "^1.7.0",
         "strip-json-comments": "3.1.1",
         "vscode-languageserver": "^9.0.1",
         "vscode-languageserver-textdocument": "^1.0.12",
@@ -168,9 +168,9 @@
       }
     },
     "node_modules/htmlhint": {
-      "version": "1.6.3",
-      "resolved": "https://registry.npmjs.org/htmlhint/-/htmlhint-1.6.3.tgz",
-      "integrity": "sha512-AVmlXD75nRVcb+a+6PZxUgSFIR67KbzrwooCzyx0lV5A17EJioxtOUuM1k9z+xXjzhZt0z3vntcu5JPSH/XHxA==",
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/htmlhint/-/htmlhint-1.7.0.tgz",
+      "integrity": "sha512-aD7ogqSPBMajoAiKhL+uVcNLxiDGm4gaMrrRuuDIz9s0RQI7tlnildASYRIwPJhZ6u/8k++ynyrGzPAQVoktzg==",
       "license": "MIT",
       "dependencies": {
         "async": "3.2.6",
@@ -186,7 +186,7 @@
         "htmlhint": "bin/htmlhint"
       },
       "engines": {
-        "node": ">=20"
+        "node": ">=18"
       },
       "funding": {
         "type": "Open Collective",
diff --git a/htmlhint-server/package.json b/htmlhint-server/package.json
index a3960eb..ff94a65 100644
--- a/htmlhint-server/package.json
+++ b/htmlhint-server/package.json
@@ -8,7 +8,7 @@
     "watch": "tsc --watch -p ./src"
   },
   "dependencies": {
-    "htmlhint": "^1.6.3",
+    "htmlhint": "^1.7.0",
     "strip-json-comments": "3.1.1",
     "vscode-languageserver": "^9.0.1",
     "vscode-languageserver-textdocument": "^1.0.12",
diff --git a/htmlhint/package-lock.json b/htmlhint/package-lock.json
index 79b8858..5f5c311 100644
--- a/htmlhint/package-lock.json
+++ b/htmlhint/package-lock.json
@@ -18,7 +18,7 @@
       ],
       "license": "SEE LICENSE IN LICENSE.md",
       "dependencies": {
-        "htmlhint": "1.6.3",
+        "htmlhint": "1.7.0",
         "ignore": "^7.0.5",
         "strip-json-comments": "3.1.1",
         "vscode-languageclient": "9.0.1",
@@ -413,9 +413,9 @@
       }
     },
     "node_modules/htmlhint": {
-      "version": "1.6.3",
-      "resolved": "https://registry.npmjs.org/htmlhint/-/htmlhint-1.6.3.tgz",
-      "integrity": "sha512-AVmlXD75nRVcb+a+6PZxUgSFIR67KbzrwooCzyx0lV5A17EJioxtOUuM1k9z+xXjzhZt0z3vntcu5JPSH/XHxA==",
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/htmlhint/-/htmlhint-1.7.0.tgz",
+      "integrity": "sha512-aD7ogqSPBMajoAiKhL+uVcNLxiDGm4gaMrrRuuDIz9s0RQI7tlnildASYRIwPJhZ6u/8k++ynyrGzPAQVoktzg==",
       "inBundle": true,
       "license": "MIT",
       "dependencies": {
@@ -432,7 +432,7 @@
         "htmlhint": "bin/htmlhint"
       },
       "engines": {
-        "node": ">=20"
+        "node": ">=18"
       },
       "funding": {
         "type": "Open Collective",
diff --git a/htmlhint/package.json b/htmlhint/package.json
index 0a3d98e..57ffabd 100644
--- a/htmlhint/package.json
+++ b/htmlhint/package.json
@@ -87,7 +87,7 @@
     "vscode:prepublish": "npm run compile && npm run bundle-dependencies",
     "compile": "tsc -p ./",
     "watch": "tsc -watch -p ./",
-    "bundle-dependencies": "npm install --no-package-lock --no-save --no-fund htmlhint@1.6.3 strip-json-comments@3.1.1 vscode-languageserver@9.0.1 vscode-languageserver-textdocument@1.0.12 vscode-uri@3.1.0 ignore@7.0.5",
+    "bundle-dependencies": "npm install --no-package-lock --no-save --no-fund htmlhint@1.7.0 strip-json-comments@3.1.1 vscode-languageserver@9.0.1 vscode-languageserver-textdocument@1.0.12 vscode-uri@3.1.0 ignore@7.0.5",
     "package": "vsce package"
   },
   "devDependencies": {
@@ -97,7 +97,7 @@
     "vscode-test": "^1.6.1"
   },
   "dependencies": {
-    "htmlhint": "1.6.3",
+    "htmlhint": "1.7.0",
     "ignore": "^7.0.5",
     "strip-json-comments": "3.1.1",
     "vscode-languageclient": "9.0.1",
diff --git a/package.json b/package.json
index 8522acf..2d49422 100644
--- a/package.json
+++ b/package.json
@@ -49,6 +49,6 @@
     "node": ">= 22"
   },
   "volta": {
-    "node": "22.16.0"
+    "node": "22.19.0"
   }
 }