Skip to content

ci: sync shrinkwrap for Dependabot#2976

Merged
rebeccahum merged 6 commits into
trunkfrom
codex/sync-shrinkwrap-dependabot
Jul 13, 2026
Merged

ci: sync shrinkwrap for Dependabot#2976
rebeccahum merged 6 commits into
trunkfrom
codex/sync-shrinkwrap-dependabot

Conversation

@rebeccahum

Copy link
Copy Markdown
Contributor

Description

This pull request introduces a new GitHub Actions workflow to automatically sync npm-shrinkwrap.json with package-lock.json on Dependabot PRs, and updates several dependencies and binary entries in npm-shrinkwrap.json. The workflow ensures consistency between lock files, while the dependency updates bring in the latest security and bug fixes.

@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

.github/workflows/sync-shrinkwrap.yml

PackageVersionLicenseIssue Type
actions/checkout7.*.*NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 7.*.* 🟢 7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1020 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST🟢 10SAST tool is run on all commits
Branch-Protection🟢 6branch protection is not maximal on development and all release branches

Scanned Files

  • .github/workflows/sync-shrinkwrap.yml

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds automation to keep npm-shrinkwrap.json aligned with package-lock.json on Dependabot PRs, and updates the shrinkwrap content accordingly so published installs remain consistent with CI.

Changes:

  • Introduces a GitHub Actions workflow that copies package-lock.json to npm-shrinkwrap.json and pushes the result back to Dependabot PR branches.
  • Updates npm-shrinkwrap.json to include new CLI bin entries and refreshed dependency resolutions (e.g., axios, ws, tar, form-data).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.

File Description
npm-shrinkwrap.json Syncs lockfile content (bin entries + dependency resolution updates) to match current package-lock.json.
.github/workflows/sync-shrinkwrap.yml New workflow to auto-sync shrinkwrap on Dependabot PRs by committing/pushing the copied lockfile.
Files not reviewed (1)
  • npm-shrinkwrap.json: Generated file

Comment thread .github/workflows/sync-shrinkwrap.yml Outdated
Comment thread .github/workflows/sync-shrinkwrap.yml
Comment thread .github/workflows/sync-shrinkwrap.yml Outdated
rebeccahum and others added 2 commits July 13, 2026 14:10
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@rebeccahum rebeccahum requested a review from Copilot July 13, 2026 20:10
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@sonarqubecloud

Copy link
Copy Markdown

Comment thread .github/workflows/sync-shrinkwrap.yml Fixed
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

Files not reviewed (1)
  • npm-shrinkwrap.json: Generated file

Comment thread .github/workflows/sync-shrinkwrap.yml
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@rebeccahum rebeccahum requested a review from Copilot July 13, 2026 20:14
@sonarqubecloud

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated no new comments.

Files not reviewed (1)
  • npm-shrinkwrap.json: Generated file

@rebeccahum rebeccahum merged commit 540ba10 into trunk Jul 13, 2026
21 checks passed
@rebeccahum rebeccahum deleted the codex/sync-shrinkwrap-dependabot branch July 13, 2026 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants