clawsec

gnezim/clawsec

Fork 0

mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-19 08:21:21 +03:00

Commit Graph

Author	SHA1	Message	Date
davida-ps	4a4b547b92	ci(skills): pin clawhub CLI by hash via committed lockfile (#268 ) * ci(skills): pin clawhub CLI by hash via committed lockfile Scorecard flags the skill-release workflow's npm install of the clawhub CLI (code-scanning alerts #25/#26): version pinning alone carries no integrity guarantee. Install it with npm ci from a committed package-lock.json instead, so every package (clawhub + 35 transitive deps) is verified against its sha512 hash at install time. The publish-payload patch step now resolves the module from the local node_modules instead of npm root -g. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * fix(skill-release): authenticate pinned clawhub install --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com>	2026-06-15 18:12:36 +03:00

Author

SHA1

Message

Date

davida-ps

4a4b547b92

ci(skills): pin clawhub CLI by hash via committed lockfile (#268 )

* ci(skills): pin clawhub CLI by hash via committed lockfile

Scorecard flags the skill-release workflow's npm install of the clawhub
CLI (code-scanning alerts #25/#26): version pinning alone carries no
integrity guarantee. Install it with npm ci from a committed
package-lock.json instead, so every package (clawhub + 35 transitive
deps) is verified against its sha512 hash at install time.

The publish-payload patch step now resolves the module from the local
node_modules instead of npm root -g.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(skill-release): authenticate pinned clawhub install

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>

2026-06-15 18:12:36 +03:00

1 Commits