clawsec/.github/clawhub-cli/package.json at 8a7242fa9c477282115d27de3fdac342a02d8eff - clawsec - Gitea: Git with a cup of tea

gnezim/clawsec

mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-16 23:11:20 +03:00

Files

T

davida-ps 4a4b547b92 ci(skills): pin clawhub CLI by hash via committed lockfile (#268 )

* ci(skills): pin clawhub CLI by hash via committed lockfile

Scorecard flags the skill-release workflow's npm install of the clawhub
CLI (code-scanning alerts #25/#26): version pinning alone carries no
integrity guarantee. Install it with npm ci from a committed
package-lock.json instead, so every package (clawhub + 35 transitive
deps) is verified against its sha512 hash at install time.

The publish-payload patch step now resolves the module from the local
node_modules instead of npm root -g.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(skill-release): authenticate pinned clawhub install

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>

2026-06-15 18:12:36 +03:00

9 lines

304 B

JSON

Raw Blame History

 {
   "name": "clawhub-cli-pin",
   "private": true,
   "description": "Pins the clawhub CLI used by skill-release.yml; package-lock.json provides the integrity hashes. Bump the version here and regenerate the lockfile with: npm install --package-lock-only",
   "dependencies": {
     "clawhub": "0.7.0"
   }
 }