scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

🐛 check for npm package git URLs

Open AdamKorcz opened this issue 9 months ago • 1 comments

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

What is the current behavior?

Currently Scorecard only check for npm ci to determine whether packages are pinned, however, users can also do that with other URL formats like these.

What is the new behavior (if this is a feature change)?**

Scorecard supports git URLs for npm install

  • [x] Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes https://github.com/ossf/scorecard/issues/4589

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to the release-note

(In particular, describe what changes users might need to make in their application as a result of this pull request.)

Support git URLs for calls to npm install.

AdamKorcz avatar Jun 27 '25 10:06 AdamKorcz

Codecov Report

:x: Patch coverage is 78.57143% with 3 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 68.29%. Comparing base (353ed60) to head (fec2411). :warning: Report is 210 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4680      +/-   ##
==========================================
+ Coverage   66.80%   68.29%   +1.48%     
==========================================
  Files         230      249      +19     
  Lines       16602    18923    +2321     
==========================================
+ Hits        11091    12923    +1832     
- Misses       4808     5137     +329     
- Partials      703      863     +160
:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar Jun 27 '25 10:06 codecov[bot]

This pull request has been marked stale because it has been open for 10 days with no activity

github-actions[bot] avatar Jul 11 '25 02:07 github-actions[bot]

This pull request has been marked stale because it has been open for 10 days with no activity

github-actions[bot] avatar Jul 22 '25 02:07 github-actions[bot]

This pull request has been marked stale because it has been open for 10 days with no activity

github-actions[bot] avatar Aug 03 '25 02:08 github-actions[bot]

/scdiff generate Pinned-Dependencies

spencerschrock avatar Aug 04 '25 16:08 spencerschrock

Here's a link to the scdiff run

github-actions[bot] avatar Aug 04 '25 16:08 github-actions[bot]