security: fix vulnerable transitive npm dependencies #70
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Validate Package Lock File | |
| on: | |
| pull_request: | |
| paths: | |
| - 'npm/package.json' | |
| - 'npm/package-lock.json' | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| paths: | |
| - 'npm/package.json' | |
| - 'npm/package-lock.json' | |
| jobs: | |
| validate-lockfile: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| - name: Validate lock file exists | |
| run: | | |
| cd npm | |
| if [ ! -f package-lock.json ]; then | |
| echo "❌ package-lock.json does not exist" | |
| exit 1 | |
| fi | |
| echo "✅ package-lock.json exists" | |
| - name: Check lock file version | |
| run: | | |
| cd npm | |
| LOCKFILE_VERSION=$(jq -r '.lockfileVersion' package-lock.json) | |
| echo "Lock file version: $LOCKFILE_VERSION" | |
| if [ "$LOCKFILE_VERSION" -lt 2 ]; then | |
| echo "⚠️ Consider upgrading lock file version to 3 (npm 7+)" | |
| fi | |
| echo "✅ Lock file version check passed" | |
| - name: Verify package names match | |
| run: | | |
| cd npm | |
| PKG_NAME=$(jq -r '.name' package.json) | |
| LOCK_NAME=$(jq -r '.name' package-lock.json) | |
| if [ "$PKG_NAME" != "$LOCK_NAME" ]; then | |
| echo "❌ Package names don't match: $PKG_NAME vs $LOCK_NAME" | |
| exit 1 | |
| fi | |
| echo "✅ Package names match: $PKG_NAME" |