New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security measure: fail PR if a lock file was changed #1344
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
nick, looks good! ❤️ |
Updated permissions according to xalvarez/prevent-file-change-action#489 Ready for review. |
for me its good! ❤️ |
Your project => you merge 😄 |
take it 😂 |
You called for it hahaha |
I don't quite understand why the merge run failed. Can you merge dev into any branch that has a PR, so we can check if those fail as well. |
I'll merge #1350 in few minutes |
That worked. I guess that the action somehow has an issue when itself is merged into a new branch. |
There were quite a lot of PRs in the past, which shipped changed lock files.
Those were mostly introduced by unexperienced contributors, but considering the popularity of Tabler and the amount of potential targets, this could be a real security risk:
https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/
There is a simple way to prevent that, which I am using in all my projects: a workflow that checks the PR for changed lock files and fails directly if a changed lockfile was included. The only persons allowed to push changes for those files are @codecalm and @dependabot (see e.g. #1296).
The used workflow is: https://github.com/xalvarez/prevent-file-change-action
What do you think @codecalm about the idea in general?
This PR is a draft for now, because I am not sure about the required token permissions. I posted a question in the action repo and will update the workflow file accordingly if there are more required.