feat(build): enable npm pinning enforcement in dependency scan#838
Merged
WilliamBerryiii merged 21 commits intomainfrom Mar 5, 2026
Merged
feat(build): enable npm pinning enforcement in dependency scan#838WilliamBerryiii merged 21 commits intomainfrom
WilliamBerryiii merged 21 commits intomainfrom
Conversation
added 2 commits
March 1, 2026 18:21
- add Get-WorkflowNpmCommandViolations with indentation-aware run-block parsing - add Test-NpmCommandLine and New-NpmCommandViolation helpers - add workflow-npm-commands to DependencyPatterns and default IncludeTypes - add Pester tests with fixture workflows for install and ci-only scenarios 🔒 - Generated by Copilot
- update dependency-types default to include npm and workflow-npm-commands 🔒 - Generated by Copilot
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #838 +/- ##
==========================================
+ Coverage 85.47% 85.88% +0.41%
==========================================
Files 27 27
Lines 5128 5152 +24
==========================================
+ Hits 4383 4425 +42
+ Misses 745 727 -18
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
- rewrite Get-FilesToScan with Get-ChildItem for cross-platform glob support - replace SHA-pinning with Test-NpmExactVersion for npm dependencies - fix SARIF line number computation and guard against Line=0 - add type-specific ExcludePatterns to skip node_modules and test fixtures - pin all caret-range versions in root and docusaurus package.json 🔧 - Generated by Copilot
- add pip ExcludePatterns for virtual env directories - replace single SARIF test with 8 focused integration tests - add dependency-pinning docs page with npm scope change rationale - update security README with dependency pinning reference 🔧 - Generated by Copilot
nguyena2
approved these changes
Mar 2, 2026
- resolve conflict in docs/docusaurus/package.json with exact-version pinning for new jest-axe packages - resolve conflict in docs/security/README.md retaining both dependency-pinning and sbom-verification rows 🔀 - Generated by Copilot
…d docs - rename ~30 'SHA pinning' references to 'dependency pinning' across 13 files - add workflow npm commands and shell downloads sections to dependency-pinning.md - add pip ExcludePatterns unit tests verifying virtual env directory exclusion 🔧 - Generated by Copilot
…riptions - expand Test-ShellDownloadSecurity from 2 to 12 tests across 4 contexts - add shell-downloads ExcludePatterns tests for Fixtures exclusion - broaden ViolationType descriptions to cover all dependency types - add secure-download.sh fixture for checksum verification tests 🧪 - Generated by Copilot
# feat(coding-standards): add Rust coding standards instructions Added **Rust coding standards** to the coding-standards collection, providing a comprehensive 689-line instructions file that GitHub Copilot applies automatically when editing `**/*.rs` files. > The Rust instructions follow the same prescriptive approach as the existing C#, Python, and Terraform instruction files — taking clear positions on crate choices and conventions rather than surveying alternatives. ## Description ### New Rust Instructions Introduced `.github/instructions/coding-standards/rust/rust.instructions.md` targeting the Rust 2021 edition. The file covers: - **Project structure** with standard crate layout and scaling guidance - **Cargo.toml conventions** including dependency management and release profile optimization - **Naming conventions** with a reference table mapping Rust idioms (PascalCase for types, snake_case for functions, kebab-case for crate names) - **Error handling** using `thiserror` for library error enums and `anyhow` restricted to application-level main/CLI - **Async patterns** with Tokio runtime selection, `tokio::select!`, `async-trait`, and `spawn_blocking` - **Observability** via the `tracing` crate with OpenTelemetry integration - **Serialization** patterns using serde derive macros - **Resilience** via `tokio_retry` with exponential backoff - **Testing conventions** including naming patterns, async test support, and fixture preferences - **Anti-patterns** to avoid, with an explicit list of common mistakes - A **complete working example** demonstrating all conventions in a `PollingService` ### Collection and Plugin Propagation Updated all collection manifests, plugin outputs, marketplace metadata, and README tables to register the new Rust instruction: - Added `rust` tag and instruction item to *coding-standards.collection.yml* and *hve-core-all.collection.yml* - Updated description strings from "bash, Bicep, C#, Python, and Terraform" to "bash, Bicep, C#, Python, Rust, and Terraform" across all touchpoints - Added symlinks in *plugins/coding-standards/instructions/* and *plugins/hve-core-all/instructions/* - Updated the Language and Technology table and directory tree in *.github/instructions/README.md* ### Example Fix Replaced an invalid `namespace example not applicable` line in the complete example section with a valid Rust comment. ## Related Issue(s) #801 ## Type of Change Select all that apply: **Code & Documentation:** * [ ] Bug fix (non-breaking change fixing an issue) * [x] New feature (non-breaking change adding functionality) * [ ] Breaking change (fix or feature causing existing functionality to change) * [x] Documentation update **Infrastructure & Configuration:** * [ ] GitHub Actions workflow * [ ] Linting configuration (markdown, PowerShell, etc.) * [ ] Security configuration * [ ] DevContainer configuration * [ ] Dependency update **AI Artifacts:** * [ ] Reviewed contribution with `prompt-builder` agent and addressed all feedback * [x] Copilot instructions (`.github/instructions/*.instructions.md`) * [ ] Copilot prompt (`.github/prompts/*.prompt.md`) * [ ] Copilot agent (`.github/agents/*.agent.md`) * [ ] Copilot skill (`.github/skills/*/SKILL.md`) > **Note for AI Artifact Contributors**: > > * **Agents**: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review `.github/agents/` before creating new ones. > * **Skills**: Must include both bash and PowerShell scripts. See [Skills](../docs/contributing/skills.md). > * **Model Versions**: Only contributions targeting the **latest Anthropic and OpenAI models** will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected. > * See [Agents Not Accepted](../docs/contributing/custom-agents.md#agents-not-accepted) and [Model Version Requirements](../docs/contributing/ai-artifacts-common.md#model-version-requirements). **Other:** * [ ] Script/automation (`.ps1`, `.sh`, `.py`) * [ ] Other (please describe): ## Sample Prompts (for AI Artifact Contributions) **User Request:** Ask Copilot to generate or edit Rust code in any `.rs` file. The instructions apply automatically via the `applyTo: '**/*.rs'` pattern. **Execution Flow:** 1. User opens or edits a `.rs` file 2. GitHub Copilot loads `rust.instructions.md` based on the glob match 3. Suggestions follow Rust 2021 edition conventions: `thiserror` error handling, `tracing` for observability, Tokio async patterns, and standard naming conventions **Output Artifacts:** Rust code suggestions that conform to the conventions defined in the instructions — proper error types, structured logging, async patterns, and test structure. **Success Indicators:** - Generated Rust code uses `thiserror` for error enums rather than manual `impl Display` - Logging uses `tracing` macros (`info!`, `error!`) rather than `println!` - Async code follows Tokio patterns with proper runtime selection - Test functions follow the `given_when_then` naming convention ## Testing - Ran `npm run plugin:generate` successfully — plugins regenerated with 0 markdown lint errors - Verified all collection manifests, plugin outputs, and README tables were updated consistently - Confirmed alphabetical ordering maintained across all description strings and tag lists - Identified and fixed an invalid line in the complete example section (non-compilable `namespace example not applicable` replaced with a valid Rust comment) - Manual testing of instruction application was not performed ## Checklist ### Required Checks * [x] Documentation is updated (if applicable) * [x] Files follow existing naming conventions * [x] Changes are backwards compatible (if applicable) * [ ] Tests added for new functionality (if applicable) ### AI Artifact Contributions <!-- If contributing an agent, prompt, instruction, or skill, complete these checks --> * [x] Used `/prompt-analyze` to review contribution * [x] Addressed all feedback from `prompt-builder` review * [x] Verified contribution follows common standards and type-specific requirements ### Required Automated Checks The following validation commands must pass before merging: * [x] Markdown linting: `npm run lint:md` * [x] Spell checking: `npm run spell-check` * [x] Frontmatter validation: `npm run lint:frontmatter` * [x] Skill structure validation: `npm run validate:skills` * [x] Link validation: `npm run lint:md-links` --------- Signed-off-by: Marcel Bindseil <marcelbindseil@gmail.com> Co-authored-by: Bill Berry <WilliamBerryiii@users.noreply.github.com> Co-authored-by: Bill Berry <wbery@microsoft.com> Co-authored-by: Jordan Knight <jakkaj@gmail.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Vaughan Knight <vaughan@vaughanknight.com> Co-authored-by: Bill Berry <wberry@microsoft.com>
- normalize Severity from 'warning' to 'Medium' in shell-download and npm functions - set ViolationType to 'Unpinned' in all violation-producing functions - add Severity and ViolationType assertions to existing tests 🔧 - Generated by Copilot
…m-pinning-enforcement
…rrors - remove duplicate 'workflow-npm-commands' key in scan type hash - remove unused $Recursive parameter from all functions - fix duplicate 'File Scope' heading in dependency-pinning.md - correct ms.topic frontmatter from 'conceptual' to 'concept' - fix Severity assertion from 'warning' to 'Medium' in tests 🔧 - Generated by Copilot
📝 - Generated by Copilot
…pell check words - remove Recursive parameter from dependency-pinning-scan workflow splat - add coreutils, dgst, pypackages, retargeted to cspell dictionary - exclude docs/docusaurus/build from spell check scope 🔧 - Generated by Copilot
- update is-network-error from 1.3.0 to 1.3.1 in package-lock.json 🔧 - Generated by Copilot
- revert job name to 'Validate SHA Pinning Compliance' to match branch protection rule 🔧 - Generated by Copilot
- broaden dependency-pinning-scan.yml description beyond GitHub Actions - update Test-DependencyPinning.ps1 checks to include npm exact versions 📝 - Generated by Copilot
📐 - Generated by Copilot
- resolve package.json conflict keeping exact-version pinning - include markdownlint-rule-search-replace from main 🔀 - Generated by Copilot
- replace em-dash characters in dependency-pinning.md - regenerate plugin README tables after merge with main 🔧 - Generated by Copilot
- resolve merge conflicts in generated plugin READMEs - regenerate plugins with updated collection manifests - format markdown tables 🔀 - Generated by Copilot
This was referenced Mar 5, 2026
This was referenced Mar 15, 2026
WilliamBerryiii
added a commit
that referenced
this pull request
Mar 20, 2026
🤖 I have created a release *beep* *boop* --- ## [3.2.0](hve-core-v3.1.46...hve-core-v3.2.0) (2026-03-20) ### ✨ Features * add -OutputPath parameter to Validate-MarkdownFrontmatter.ps1 ([#1134](#1134)) ([fdf1bcf](fdf1bcf)), closes [#1006](#1006) * add action version consistency scan workflow ([#1127](#1127)) ([4229df1](4229df1)) * **agent:** MVE Experiment Designer ([#976](#976)) ([70f86ca](70f86ca)) * **agents:** add ADO Backlog Manager orchestrator agent ([#800](#800)) ([fae3987](fae3987)) * **agents:** add meeting analyst agent for transcript analysis using work-iq ([#502](#502)) ([5345b5b](5345b5b)) * **agents:** add quick-reference line to RPI Phase 5 suggestions ([#897](#897)) ([9a90f39](9a90f39)) * **agents:** add RAI Planner, enhance SSSC Planner, and redesign Security Planner ([#979](#979)) ([06f826c](06f826c)) * **agents:** add symmetric cross-system handoff to GitHub Backlog Manager ([#952](#952)) ([ba34a35](ba34a35)) * **agents:** Functional Code Review Agent — pre-PR functional correctness reviewer ([#733](#733)) ([9cf63b7](9cf63b7)) * **build:** add Python extensions and uv 0.10.8 to devcontainer ([#920](#920)) ([9ca0579](9ca0579)) * **build:** add uv ecosystem to Dependabot configuration ([#913](#913)) ([2a4bd39](2a4bd39)) * **build:** enable npm pinning enforcement in dependency scan ([#838](#838)) ([4e9e31f](4e9e31f)) * **build:** migrate attestation actions to v4.1.0 and add SBOM verification docs ([#841](#841)) ([ca1e65b](ca1e65b)) * **collections:** add four new validator checks (orphan, duplicate, companion, coverage) ([#869](#869)) ([1a96b73](1a96b73)) * **devcontainer,security:** add enterprise artifact hub configuration ([#1032](#1032)) ([1d56d25](1d56d25)) * **docs:** add Rust coding standards and guidelines ([#809](#809)) ([d4c4899](d4c4899)) * **extension:** add Microsoft logo icon to VS Code Marketplace listings ([#906](#906)) ([82aca41](82aca41)) * **github:** add declarative label management ([#953](#953)) ([a1a6845](a1a6845)) * **instructions:** add ADO backlog shared infrastructure ([#786](#786)) ([1914078](1914078)) * **instructions:** add ADO backlog sprint planning and capacity tracking ([#788](#788)) ([d6fb77d](d6fb77d)) * **instructions:** add ADO triage workflow and prompt ([#787](#787)) ([cde0190](cde0190)) * **instructions:** add shared story quality conventions and sprint planning ([#803](#803)) ([a2f18e3](a2f18e3)) * **prompts:** add ADO discovery and work item prompts with agent routing ([#790](#790)) ([7e74523](7e74523)) * **prompts:** add security review prompts ([#1118](#1118)) ([ad30967](ad30967)) * **scripts:** add dynamic Python skill discovery for lint/test ([#957](#957)) ([0a90f57](0a90f57)) * **scripts:** add Get-StandardTimestamp utility to CIHelpers module ([#1126](#1126)) ([b273a4b](b273a4b)) * **scripts:** add Python copyright header validation ([#905](#905)) ([67df902](67df902)) * **scripts:** add Python skill support to Validate-SkillStructure ([#903](#903)) ([68479d9](68479d9)) * **scripts:** add workflow npm command scanning to dependency pinning ([#837](#837)) ([6b5ae06](6b5ae06)) * **security:** add basic security reviewer agent with owasp skills ([#1008](#1008)) ([cb1fd05](cb1fd05)) * **security:** add sigstore attestation bundles and fix component-detection action ([#1148](#1148)) ([f79c272](f79c272)) * **skills:** add Atheris fuzz harness with CI workflow integration ([#1102](#1102)) ([d337e1d](d337e1d)) * **skills:** add PowerPoint automation skill with YAML-driven deck generation ([#868](#868)) ([00465cd](00465cd)) * **skills:** convert hve-core-installer agent to self-contained skill ([#846](#846)) ([1d821fb](1d821fb)) * **skills:** enhance pr-reference skill with flexible filtering and base branch detection ([#1095](#1095)) ([26a32ea](26a32ea)) * **workflows:** add devcontainer infrastructure change log workflow ([#899](#899)) ([8aca446](8aca446)) * **workflows:** add milestone auto-close on stable and pre-release publishes ([#834](#834)) ([79362b1](79362b1)) * **workflows:** add ms.date documentation freshness checking ([#969](#969)) ([3ed441c](3ed441c)) * **workflows:** add Python linting CI workflow with Ruff ([#951](#951)) ([f89f0eb](f89f0eb)) * **workflows:** add Python testing CI workflow with pytest and Codecov ([#934](#934)) ([5e8306f](5e8306f)) * **workflows:** add uv and Python package sync to copilot-setup-steps ([#921](#921)) ([45d517d](45d517d)) ### 🐛 Bug Fixes * **build:** override Linguist vendored flag for Python skill files ([#1155](#1155)) ([0eee5b6](0eee5b6)) * **build:** override serialize-javascript to >=7.0.3 for RCE fix ([#876](#876)) ([e49039a](e49039a)) * **build:** resolve Pinned-Dependencies alerts for vsce npm commands in extension workflows ([#782](#782)) ([89dad9d](89dad9d)) * **build:** update undici and yauzl overrides for security audit ([#1030](#1030)) ([2c2f92f](2c2f92f)) * **docs:** add CLI Plugins to install.md navigation surfaces ([#902](#902)) ([79d6595](79d6595)) * **docs:** add sidebar ordering for Design Thinking documentation ([#832](#832)) ([551fddc](551fddc)), closes [#830](#830) * **docs:** graduate design-thinking to preview and correct stale collection references ([#831](#831)) ([5110e35](5110e35)) * **docs:** include project-planning in UX Designer install guidance ([#908](#908)) ([e7aa9bc](e7aa9bc)) * **docs:** remediate writing-style convention violations ([#865](#865)) ([68b04bc](68b04bc)) * **docs:** remove draft content announcement banner ([#825](#825)) ([b45de80](b45de80)) * **docs:** remove unbounded path-to-regexp override breaking SSG ([#1153](#1153)) ([d810018](d810018)) * **docs:** use actual clone paths instead of folder display names in multi-root workspace settings ([#984](#984)) ([5dbab82](5dbab82)) * **instructions:** replace black with ruff in uv-projects ([#898](#898)) ([b0c06d9](b0c06d9)) * **scripts:** cover .github/ skill files in copyright header validation ([#1055](#1055)) ([#1098](#1098)) ([27fbd33](27fbd33)) * **scripts:** eliminate phantom git changes from plugin generation ([#1035](#1035)) ([e49a1b5](e49a1b5)) * **scripts:** enable JSON log output for lint:version-consistency ([#1033](#1033)) ([52b0885](52b0885)) * **security:** calculate compliance score from total scanned dependencies ([#930](#930)) ([c112c3d](c112c3d)) * **skills:** add AST validation and namespace restriction for content-extra.py ([#1027](#1027)) ([c50c7a3](c50c7a3)) * **skills:** add depth limits to recursive PowerPoint processing functions ([#1028](#1028)) ([bf08994](bf08994)) * **skills:** harden XML parsing and blob writes in powerpoint extract ([#1053](#1053)) ([89d24b1](89d24b1)) * **skills:** resolve ruff lint and format violations in powerpoint skill ([#1048](#1048)) ([17bbe7a](17bbe7a)) * **workflows:** add uv.lock dependencies submission have fork-skip condition ([#1109](#1109)) ([dec56ac](dec56ac)) * **workflows:** automate weekly SHA staleness check with issue creation ([#975](#975)) ([1ea4caa](1ea4caa)) * **workflows:** close Codecov integration gaps for Pester and pytest flags ([#1106](#1106)) ([cca29b7](cca29b7)) * **workflows:** propagate uv sync errors in copilot-setup-steps ([#961](#961)) ([df88d7c](df88d7c)) * **workflows:** resolve release-please skip cascade and Python project discovery ([#1043](#1043)) ([79993e2](79993e2)) * **workflows:** scan only commit subjects for breaking change detection ([#1157](#1157)) ([a38a657](a38a657)) ### 📚 Documentation * clarify HVE Core Extension vs Installer messaging across documentation ([#965](#965)) ([0fceb8f](0fceb8f)) * **docs:** add ADO integration user documentation ([#935](#935)) ([ec89302](ec89302)) * **docs:** add Project Planning agent documentation ([#936](#936)) ([3a3a0fd](3a3a0fd)) * **onboarding:** overhaul marketplace onboarding and documentation site ([#982](#982)) ([4309e10](4309e10)) ### ♻️ Refactoring * **build:** merge code-review collection into coding-standards ([#863](#863)) ([8027e7b](8027e7b)) * **workflows:** rename release pipeline workflows and add marketplace automation triggers ([#829](#829)) ([b6397f4](b6397f4)) ### 🔧 Maintenance * **build:** add clean:logs npm script ([#1122](#1122)) ([f85fe02](f85fe02)), closes [#988](#988) * **build:** add JSON reporter for cspell ([#1123](#1123)) ([6d59f67](6d59f67)) * **ci:** add multi-arch support to copilot-setup-steps binary downloads ([#955](#955)) ([8d0c706](8d0c706)) * **deps-dev:** bump cspell from 9.6.4 to 9.7.0 in the npm-dependencies group ([#839](#839)) ([3fa16ff](3fa16ff)) * **deps:** bump actions/dependency-review-action from 4.8.3 to 4.9.0 in the github-actions group across 1 directory ([#942](#942)) ([1a9b858](1a9b858)) * **deps:** bump cairosvg from 2.8.2 to 2.9.0 in /.github/skills/experimental/powerpoint ([#1025](#1025)) ([f4deda7](f4deda7)) * **deps:** bump dompurify from 3.3.1 to 3.3.2 in /docs/docusaurus ([#924](#924)) ([d2060d6](d2060d6)) * **deps:** bump svgo from 3.3.2 to 3.3.3 in /docs/docusaurus ([#880](#880)) ([6dc2406](6dc2406)) * **deps:** bump the github-actions group across 1 directory with 4 updates ([#1100](#1100)) ([2290dc0](2290dc0)) * **deps:** bump the github-actions group with 6 updates ([#840](#840)) ([f57bc01](f57bc01)) * **docs:** correct New-MsDateReport table rendering and refresh stale docs ([#1114](#1114)) ([c2b806f](c2b806f)) * **settings:** remove orphaned Checkov config and stale gitignore entries ([#870](#870)) ([98fcd74](98fcd74)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com> Co-authored-by: Bill Berry <wberry@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Enabled npm pinning enforcement in the CI dependency-pinning scan workflow. Updated the workflow default to scan
github-actions,npm,workflow-npm-commands, activating automatic detection of unpinned npm commands in GitHub Actions workflowrun:blocks.Three PowerShell functions were added to Test-DependencyPinning.ps1:
Test-NpmCommandLine— regex-based detection of unpinned npm commands (npm install,npm i,npm update,npm install-test) while excluding safe variants (npm ci,npm run,npm test,npm audit)Get-WorkflowNpmCommandViolations— indentation-aware YAML parser that tracks nesting depth to confine detection to actual shell content and avoid flagging commentsNew-NpmCommandViolation— constructs violation objects with Medium severity and remediation guidancePester test coverage was added with fixture files for both safe and unsafe npm command patterns.
Scope Change: npm Exact-Version Enforcement
This PR introduces a strategic departure from SHA-pinning for npm dependencies. Unlike GitHub Actions (which use 40-character commit SHAs for immutable references), npm dependencies use exact-version enforcement (
X.Y.Zwith no^,~,*, or range operators).Rationale for exact-version enforcement over SHA-pinning:
npm auditrequires semver versionsThe validation regex enforces exact versions:
^\d+\.\d+\.\d+$— no ranges, no prefixes, no wildcards.Follow-Up Hardening (commit
b8bd099)Additional improvements shipped on this branch:
.venv,venv,.tox,.nox,__pypackages__) are now excluded from pip dependency scanning to avoid false positivesdocs/security/dependency-pinning.mdpage documenting all pinning strategies with rationale, validation rules, CI integration flowchart, and a dedicated comparison of SHA-pinning vs exact-version enforcement for npmRelated Issue(s)
Closes #526
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md).github/skills/*/SKILL.md)Other:
.ps1,.sh,.py)Testing
Validated with 100 Pester tests covering:
Checklist
Required Checks
Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run plugin:generateSecurity Considerations
Additional Notes
This PR enforces npm dependency pinning using exact-version enforcement rather than SHA-pinning. The scanner uses regex-only analysis with no code execution, and
Test-Path -LiteralPathguards all file reads. Test count increased from 93 to 100 with comprehensive SARIF integration coverage.