From 5c047313f7dd30be35b4bf173fba4db7fdea72ca Mon Sep 17 00:00:00 2001 From: atishj99 Date: Wed, 24 Jun 2026 17:09:35 +0530 Subject: [PATCH 1/5] added security best practises --- .npmrc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.npmrc b/.npmrc index 3ca7a3df..453be701 100644 --- a/.npmrc +++ b/.npmrc @@ -1,2 +1,3 @@ # Default registry for most packages -registry=https://npm.echohq.com/ \ No newline at end of file +registry=https://npm.echohq.com/ +ignore-scripts=true \ No newline at end of file From ae7338d47dce3a6ce4f53550764b8e009559c066 Mon Sep 17 00:00:00 2001 From: atishj99 Date: Thu, 25 Jun 2026 16:08:36 +0530 Subject: [PATCH 2/5] Vulnerability fixes --- package-lock.json | 111 ++++++++-------------------------------------- package.json | 1 + 2 files changed, 19 insertions(+), 93 deletions(-) diff --git a/package-lock.json b/package-lock.json index 72cfb575..3a02d20c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1943,36 +1943,6 @@ "url": "https://opencollective.com/eslint" } }, - "node_modules/@eslint/eslintrc/node_modules/argparse": { - "version": "2.0.1", - "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/argparse/-/argparse-2.0.1.tgz", - "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==", - "dev": true, - "license": "Python-2.0" - }, - "node_modules/@eslint/eslintrc/node_modules/js-yaml": { - "version": "4.2.0", - "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/js-yaml/-/js-yaml-4.2.0.tgz", - "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", - "dev": true, - "funding": [ - { - "type": "github", - "url": "https://github.com/sponsors/puzrin" - }, - { - "type": "github", - "url": "https://github.com/sponsors/nodeca" - } - ], - "license": "MIT", - "dependencies": { - "argparse": "^2.0.1" - }, - "bin": { - "js-yaml": "bin/js-yaml.js" - } - }, "node_modules/@eslint/js": { "version": "8.57.1", "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/@eslint/js/-/js-8.57.1.tgz", @@ -3065,14 +3035,11 @@ } }, "node_modules/argparse": { - "version": "1.0.10", - "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/argparse/-/argparse-1.0.10.tgz", - "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "version": "2.0.1", + "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/argparse/-/argparse-2.0.1.tgz", + "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==", "dev": true, - "license": "MIT", - "dependencies": { - "sprintf-js": "~1.0.2" - } + "license": "Python-2.0" }, "node_modules/array-union": { "version": "2.1.0", @@ -4000,13 +3967,6 @@ "url": "https://opencollective.com/eslint" } }, - "node_modules/eslint/node_modules/argparse": { - "version": "2.0.1", - "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/argparse/-/argparse-2.0.1.tgz", - "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==", - "dev": true, - "license": "Python-2.0" - }, "node_modules/eslint/node_modules/eslint-scope": { "version": "7.2.2", "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/eslint-scope/-/eslint-scope-7.2.2.tgz", @@ -4051,29 +4011,6 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/eslint/node_modules/js-yaml": { - "version": "4.2.0", - "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/js-yaml/-/js-yaml-4.2.0.tgz", - "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", - "dev": true, - "funding": [ - { - "type": "github", - "url": "https://github.com/sponsors/puzrin" - }, - { - "type": "github", - "url": "https://github.com/sponsors/nodeca" - } - ], - "license": "MIT", - "dependencies": { - "argparse": "^2.0.1" - }, - "bin": { - "js-yaml": "bin/js-yaml.js" - } - }, "node_modules/eslint/node_modules/locate-path": { "version": "6.0.0", "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/locate-path/-/locate-path-6.0.0.tgz", @@ -4124,20 +4061,6 @@ "url": "https://opencollective.com/eslint" } }, - "node_modules/esprima": { - "version": "4.0.1", - "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/esprima/-/esprima-4.0.1.tgz", - "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", - "dev": true, - "license": "BSD-2-Clause", - "bin": { - "esparse": "bin/esparse.js", - "esvalidate": "bin/esvalidate.js" - }, - "engines": { - "node": ">=4" - } - }, "node_modules/esquery": { "version": "1.7.0", "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/esquery/-/esquery-1.7.0.tgz", @@ -6070,14 +5993,23 @@ "license": "MIT" }, "node_modules/js-yaml": { - "version": "3.14.2", - "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/js-yaml/-/js-yaml-3.14.2.tgz", - "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==", + "version": "4.2.0", + "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/js-yaml/-/js-yaml-4.2.0.tgz", + "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/puzrin" + }, + { + "type": "github", + "url": "https://github.com/sponsors/nodeca" + } + ], "license": "MIT", "dependencies": { - "argparse": "^1.0.7", - "esprima": "^4.0.0" + "argparse": "^2.0.1" }, "bin": { "js-yaml": "bin/js-yaml.js" @@ -7325,13 +7257,6 @@ "source-map": "^0.6.0" } }, - "node_modules/sprintf-js": { - "version": "1.0.3", - "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/sprintf-js/-/sprintf-js-1.0.3.tgz", - "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", - "dev": true, - "license": "BSD-3-Clause" - }, "node_modules/stack-utils": { "version": "2.0.6", "resolved": "https://packages.echohq.com/artifactory/api/npm/npm/stack-utils/-/stack-utils-2.0.6.tgz", diff --git a/package.json b/package.json index bd1609e7..fc5fd259 100644 --- a/package.json +++ b/package.json @@ -58,6 +58,7 @@ "overrides": { "bluebird": "3.7.2", "flatted": "^3.4.2", + "js-yaml": "4.2.0", "lodash": "^4.18.0", "minimatch": "^3.1.2", "underscore": "^1.13.8", From 4e9f4fd93ff3a8fb59b82292788b8d4b147550fd Mon Sep 17 00:00:00 2001 From: atishj99 Date: Fri, 26 Jun 2026 10:56:10 +0530 Subject: [PATCH 3/5] updating .md files with npm ci --- CLAUDE.md | 2 +- README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 4a6858e3..6b57c996 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -188,7 +188,7 @@ CxWrapper (Main Entry Point) 2. **Install dependencies** ```bash - npm install + npm ci ``` 3. **Verify installation** diff --git a/README.md b/README.md index 81582890..0128156e 100644 --- a/README.md +++ b/README.md @@ -53,8 +53,8 @@ To be able to build the code you should have: ### Setting Up In your terminal, run: -``` -- npm install +```bash +npm ci ``` To run integrations tests, you need to set up environment variables: From 4a592555569dbf110656aa8eb8a3518dd5186f29 Mon Sep 17 00:00:00 2001 From: Aniket Shinde Date: Fri, 26 Jun 2026 12:36:57 +0530 Subject: [PATCH 4/5] Handle package files conditions. --- .github/workflows/ci.yml | 4 ++-- .github/workflows/release.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 67435878..91d4a439 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ jobs: with: node-version: 22.11.0 registry-url: https://npm.pkg.github.com/ - - run: npm ci + - run: npm ci --ignore-scripts - name: Run Unit Tests run: npm run test:unit @@ -27,7 +27,7 @@ jobs: with: node-version: 22.11.0 registry-url: https://npm.pkg.github.com/ - - run: npm ci + - run: npm ci --ignore-scripts - name: Code Linting run: npm run lint - run: npm run build --if-present diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2213fde5..4faf63c7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -137,7 +137,7 @@ jobs: - name: NPM ci and build run: | - npm ci + npm ci --ignore-scripts npm run build - name: Create Pull Request From b4435a5213fccd52f2995c747deff9e980b0c35d Mon Sep 17 00:00:00 2001 From: Aniket Shinde Date: Fri, 26 Jun 2026 14:10:06 +0530 Subject: [PATCH 5/5] Handle package files conditions. --- .github/workflows/ci.yml | 20 ++++++++++++++++++++ .github/workflows/release.yml | 12 +++++++++++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 91d4a439..4f0b3348 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,16 @@ jobs: runs-on: cx-public-ubuntu-x64 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: Verify single lockfile (Step 0 - Supply Chain Policy) + run: | + if [ -f yarn.lock ] && [ -f package-lock.json ]; then + echo "❌ ERROR: Both yarn.lock and package-lock.json found. Policy requires exactly ONE package manager. Allowed: npm + package-lock.json OR Yarn + yarn.lock" + exit 1 + fi + if [ ! -f yarn.lock ] && [ ! -f package-lock.json ]; then + echo "❌ ERROR: No lockfile found. Policy requires exactly ONE package manager lockfile. Required: npm + package-lock.json OR Yarn + yarn.lock" + exit 1 + fi - name: Use Node.js 22.11.0 uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: @@ -22,6 +32,16 @@ jobs: runs-on: cx-public-ubuntu-x64 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: Verify single lockfile (Step 0 - Supply Chain Policy) + run: | + if [ -f yarn.lock ] && [ -f package-lock.json ]; then + echo "❌ ERROR: Both yarn.lock and package-lock.json found. Policy requires exactly ONE package manager. Allowed: npm + package-lock.json OR Yarn + yarn.lock" + exit 1 + fi + if [ ! -f yarn.lock ] && [ ! -f package-lock.json ]; then + echo "❌ ERROR: No lockfile found. Policy requires exactly ONE package manager lockfile. Required: npm + package-lock.json OR Yarn + yarn.lock" + exit 1 + fi - name: Use Node.js 22.11.0 uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4faf63c7..5eabbfd1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -74,7 +74,17 @@ jobs: with: fetch-depth: 0 - - name: Git Configuration + - name: Verify single lockfile (Step 0 - Supply Chain Policy) + run: | + if [ -f yarn.lock ] && [ -f package-lock.json ]; then + echo "❌ ERROR: Both yarn.lock and package-lock.json found. Policy requires exactly ONE package manager. Allowed: npm + package-lock.json OR Yarn + yarn.lock" + exit 1 + fi + if [ ! -f yarn.lock ] && [ ! -f package-lock.json ]; then + echo "❌ ERROR: No lockfile found. Policy requires exactly ONE package manager lockfile. Required: npm + package-lock.json OR Yarn + yarn.lock" + exit 1 + fi + - name: Git Configuration run: | git config user.name github-actions git config user.email github-actions@github.com