clawsec/.github/clawhub-cli/package.json at f76824bdb63806fc07915864b6aaafd73a9aa21f - clawsec - Gitea: Git with a cup of tea

gnezim/clawsec

mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-19 00:11:20 +03:00

Files

T

David Abutbul f76824bdb6 ci(skills): pin clawhub CLI by hash via committed lockfile

Scorecard flags the skill-release workflow's npm install of the clawhub
CLI (code-scanning alerts #25/#26): version pinning alone carries no
integrity guarantee. Install it with npm ci from a committed
package-lock.json instead, so every package (clawhub + 35 transitive
deps) is verified against its sha512 hash at install time.

The publish-payload patch step now resolves the module from the local
node_modules instead of npm root -g.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

2026-06-11 14:39:56 +03:00

9 lines

304 B

JSON

Raw Blame History

 {
   "name": "clawhub-cli-pin",
   "private": true,
   "description": "Pins the clawhub CLI used by skill-release.yml; package-lock.json provides the integrity hashes. Bump the version here and regenerate the lockfile with: npm install --package-lock-only",
   "dependencies": {
     "clawhub": "0.7.0"
   }
 }