Skip to content

[npmCommand] npm install github:package.repo#sha is detected as non pinned dependency #4589

New issue
New issue
Open
#4680
Open
[npmCommand] npm install github:package.repo#sha is detected as non pinned dependency#4589
#4680
Labels
kind/bugSomething isn't working
@kuisathaverat

Description

@kuisathaverat
kuisathaverat
opened on Apr 9, 2025

Describe the bug

The following step in a GitHub workflow is detected as a Warn: npmCommand not pinned by hash when it really is pinned.

       
      - name: Install Dependencies
        run: |
          npm install github:nodeca/js-yaml#2cef47bebf60da141b78b085f3dea3b5733dcc12

Reproduction steps
Steps to reproduce the behavior:

  1. Create a workflow like the following
name: test
on:
  workflow_dispatch:
permissions:
  contents: read
jobs:
  process:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      - name: Install Dependencies
        run: |
          npm install github:nodeca/js-yaml#2cef47bebf60da141b78b085f3dea3b5733dcc12
  1. Run the command scorecard --local=. --show-details --checks=Pinned-Dependencies
  2. Check that the new workflow reports the Warning npmCommand not pinned by hash

Expected behavior

The command is detected as a pinned dependency

https://docs.npmjs.com/about-packages-and-modules#npm-package-git-url-formats

Additional context
Add any other context about the problem here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugSomething isn't working

    Type

    No type

    Projects

    Scorecard - NEW

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions