Supply chain improvements#209
Merged
Merged
Conversation
Add the npm minimum release age policy, move CI and publish workflows to Node 26, pin third-party Actions to commit SHAs, switch npm publishing to OIDC provenance, and apply npm audit fixes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR hardens the project’s supply-chain posture by tightening dependency and release workflows: it updates lockfile transitive dependencies, pins GitHub Actions by commit SHA, moves CI/publish to Node 26, and switches npm publishing toward OIDC-based provenance.
Changes:
- Add an npm “minimum release age” policy via
.npmrc. - Update CI/publish workflows to Node 26 and pin referenced Actions to full commit SHAs.
- Refresh transitive dependencies in
package-lock.json(vianpm audit fix).
Show a summary per file
| File | Description |
|---|---|
package-lock.json |
Updates transitive dependency versions/integrity metadata. |
.nvmrc |
Aligns local dev Node version with CI/publish runtime. |
.npmrc |
Introduces an npm minimum release-age policy. |
.github/workflows/publish.yml |
Pins Actions, updates Node runtime, and removes token-based publish in favor of provenance/OIDC. |
.github/workflows/ci.yml |
Pins Actions and updates Node runtime for CI. |
.github/workflows/accessibility-alt-text-bot.yml |
Pins the third-party action to a full commit SHA. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 5/6 changed files
- Comments generated: 1
manuelpuyol
approved these changes
Jun 3, 2026
lindseywild
approved these changes
Jun 3, 2026
smockle
reviewed
Jun 3, 2026
Co-authored-by: Clay Miller <clay@smockle.com>
smockle
reviewed
Jun 3, 2026
smockle
reviewed
Jun 3, 2026
smockle
reviewed
Jun 3, 2026
smockle
reviewed
Jun 3, 2026
smockle
reviewed
Jun 3, 2026
smockle
reviewed
Jun 3, 2026
smockle
approved these changes
Jun 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.npmrc.npm audit fixupdates to transitive lockfile entries.Ecosystems detected
Recommendations applied
npm ciis already used in CI and publish workflows..nvmrcupdated to match the Node 26 workflow runtime.Not automatically applied
Human review notes
Validation
npm installnpm cinpm testnpm audit --audit-level=low