Skip to content

NPM security related fixes#24

Open
IanMadd wants to merge 1 commit into
mainfrom
im/npm-fixes
Open

NPM security related fixes#24
IanMadd wants to merge 1 commit into
mainfrom
im/npm-fixes

Conversation

@IanMadd

@IanMadd IanMadd commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Description

Version

These are changes for Chef Workstation versions:

Definition of done

Issues resolved

Related PRs

Checklist

  • spellcheck
  • use relref shortcode for links to Workstation docs in this doc set
  • all tests pass

@IanMadd
NPM security related fixes
23df4b6 
Signed-off-by: Ian Maddaus <ian.maddaus@progress.com>
@IanMadd IanMadd requested a review from a team as a code owner June 11, 2026 18:22
@netlify

netlify Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for chef-workstation-docs ready!

Name Link
🔨 Latest commit 23df4b6
🔍 Latest deploy log https://app.netlify.com/projects/chef-workstation-docs/deploys/6a2afcfa27de460008385339
😎 Deploy Preview https://deploy-preview-24--chef-workstation-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@IanMadd IanMadd requested a review from Copilot June 11, 2026 18:30
Copilot AI reviewed Jun 11, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens Node.js dependency installation and update behavior to address npm/security concerns in the Chef Workstation docs build tooling (Netlify deploy scripts + local Make targets), and introduces dependency update policy configuration.

Changes:

  • Switches multiple build/deploy entrypoints from npm install to deterministic npm ci.
  • Updates Netlify’s Node runtime from 19 to 22.
  • Adds npm hardening config (.npmrc) and expands Dependabot configuration to include npm (plus new cooldown settings).

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
scripts/netlify-deploy-production.sh Uses npm ci for deterministic production installs during Netlify builds.
scripts/netlify-deploy-preview.sh Uses npm ci for deterministic deploy-preview installs.
scripts/netlify-branch-deploy.sh Uses npm ci for deterministic branch-deploy installs.
scripts/local-server.sh Uses npm ci for deterministic local Netlify CLI dev installs.
netlify.toml Sets Netlify build Node version to 22.
Makefile Changes bundle target to use npm ci.
.npmrc Adds npm install hardening settings (release age gate, disable scripts, block git deps).
.github/dependabot.yml Adds npm updates configuration and cooldown settings.

Comment thread .github/dependabot.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lbarry316 lbarry316 lbarry316 approved these changes

Assignees

No one assigned

Labels

backport-to-release-25 backport-to-release-26

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@IanMadd @lbarry316