Skip to content

Commit 7edf55c

Browse files
leotmleotm
committed
Integrate @lavamoat/git-safe-dependencies in CI
- prevent mutable Git references - e.g. user/repo#main - e.g. user/repo#v1.0 - validate non-semver dependencies are pinned to commit hashes - e.g. user/repo#<hash> - ensure deterministic non-registry dependency installs Resolve: #1800
1 parent b8e5ed5 commit 7edf55c

File tree

3 files changed

+155
-1
lines changed

3 files changed

+155
-1
lines changed

β€Ž.github/workflows/main.ymlβ€Ž

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,9 @@ jobs:
1919
- name: Install with Yarn
2020
run: yarn && yarn setup
2121

22+
- name: Run @lavamoat/git-safe-dependencies
23+
run: yarn git-safe-dependencies
24+
2225
- name: Compile with TypeScript
2326
run: yarn tsc
2427

β€Žpackage.jsonβ€Ž

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@
5858
"@curveball/core": "0.21.1",
5959
"@curveball/router": "0.6.0",
6060
"@lavamoat/allow-scripts": "3.4.0",
61+
"@lavamoat/git-safe-dependencies": "0.3.1",
6162
"@lavamoat/preinstall-always-fail": "2.1.1",
6263
"@react-native-community/cli": "11.3.7",
6364
"@react-native-community/eslint-config": "3.2.0",

β€Žyarn.lockβ€Ž

Lines changed: 151 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1943,6 +1943,22 @@ __metadata:
19431943
languageName: node
19441944
linkType: hard
19451945

1946+
"@isaacs/balanced-match@npm:^4.0.1":
1947+
version: 4.0.1
1948+
resolution: "@isaacs/balanced-match@npm:4.0.1"
1949+
checksum: 10/102fbc6d2c0d5edf8f6dbf2b3feb21695a21bc850f11bc47c4f06aa83bd8884fde3fe9d6d797d619901d96865fdcb4569ac2a54c937992c48885c5e3d9967fe8
1950+
languageName: node
1951+
linkType: hard
1952+
1953+
"@isaacs/brace-expansion@npm:^5.0.0":
1954+
version: 5.0.0
1955+
resolution: "@isaacs/brace-expansion@npm:5.0.0"
1956+
dependencies:
1957+
"@isaacs/balanced-match": "npm:^4.0.1"
1958+
checksum: 10/cf3b7f206aff12128214a1df764ac8cdbc517c110db85249b945282407e3dfc5c6e66286383a7c9391a059fc8e6e6a8ca82262fc9d2590bd615376141fbebd2d
1959+
languageName: node
1960+
linkType: hard
1961+
19461962
"@isaacs/cliui@npm:^8.0.2":
19471963
version: 8.0.2
19481964
resolution: "@isaacs/cliui@npm:8.0.2"
@@ -2364,6 +2380,21 @@ __metadata:
23642380
languageName: node
23652381
linkType: hard
23662382

2383+
"@lavamoat/git-safe-dependencies@npm:0.3.1":
2384+
version: 0.3.1
2385+
resolution: "@lavamoat/git-safe-dependencies@npm:0.3.1"
2386+
dependencies:
2387+
glob: "npm:11.1.0"
2388+
hosted-git-info: "npm:8.1.0"
2389+
js-yaml: "npm:4.1.1"
2390+
lockfile-lint-api: "npm:5.9.2"
2391+
bin:
2392+
git-safe-actions: src/cli-actions.js
2393+
git-safe-dependencies: src/cli.js
2394+
checksum: 10/59f6b8e685bc5ef06b98272fc0b15d14f49fac660caba269e2a9365405577095a49c166537588a2a8b090287a0860d31cff49e8492f7b7874cef317f77846e83
2395+
languageName: node
2396+
linkType: hard
2397+
23672398
"@lavamoat/preinstall-always-fail@npm:2.1.1":
23682399
version: 2.1.1
23692400
resolution: "@lavamoat/preinstall-always-fail@npm:2.1.1"
@@ -6152,6 +6183,16 @@ __metadata:
61526183
languageName: node
61536184
linkType: hard
61546185

6186+
"@yarnpkg/parsers@npm:^3.0.0-rc.48.1":
6187+
version: 3.0.3
6188+
resolution: "@yarnpkg/parsers@npm:3.0.3"
6189+
dependencies:
6190+
js-yaml: "npm:^3.10.0"
6191+
tslib: "npm:^2.4.0"
6192+
checksum: 10/379f7ff8fc1b37d3818dfeba4e18a72f8e9817bb41aab9332b50bbc843e45c9bf135563a7a06882ffb50e4cdd29c8da33c8e4f3739201de2fbcd38ecb59e3a8e
6193+
languageName: node
6194+
linkType: hard
6195+
61556196
"abbrev@npm:^1.0.0":
61566197
version: 1.1.1
61576198
resolution: "abbrev@npm:1.1.1"
@@ -11472,7 +11513,7 @@ __metadata:
1147211513
languageName: node
1147311514
linkType: hard
1147411515

11475-
"foreground-child@npm:^3.1.0":
11516+
"foreground-child@npm:^3.1.0, foreground-child@npm:^3.3.1":
1147611517
version: 3.3.1
1147711518
resolution: "foreground-child@npm:3.3.1"
1147811519
dependencies:
@@ -11918,6 +11959,22 @@ __metadata:
1191811959
languageName: node
1191911960
linkType: hard
1192011961

11962+
"glob@npm:11.1.0":
11963+
version: 11.1.0
11964+
resolution: "glob@npm:11.1.0"
11965+
dependencies:
11966+
foreground-child: "npm:^3.3.1"
11967+
jackspeak: "npm:^4.1.1"
11968+
minimatch: "npm:^10.1.1"
11969+
minipass: "npm:^7.1.2"
11970+
package-json-from-dist: "npm:^1.0.0"
11971+
path-scurry: "npm:^2.0.0"
11972+
bin:
11973+
glob: dist/esm/bin.mjs
11974+
checksum: 10/da4501819633daff8822c007bb3f93d5c4d2cbc7b15a8e886660f4497dd251a1fb4f53a85fba1e760b31704eff7164aeb2c7a82db10f9f2c362d12c02fe52cf3
11975+
languageName: node
11976+
linkType: hard
11977+
1192111978
"glob@npm:^10.2.2, glob@npm:^10.3.10":
1192211979
version: 10.4.5
1192311980
resolution: "glob@npm:10.4.5"
@@ -12418,6 +12475,15 @@ __metadata:
1241812475
languageName: node
1241912476
linkType: hard
1242012477

12478+
"hosted-git-info@npm:8.1.0":
12479+
version: 8.1.0
12480+
resolution: "hosted-git-info@npm:8.1.0"
12481+
dependencies:
12482+
lru-cache: "npm:^10.0.1"
12483+
checksum: 10/872a1f3b5da6bff9d99410b96cf7ecb6415ef7d8c8842579cfb690144f40be4581cc4ea50d978829a5fc1ef0b1097151a722d14f905beaf3f09330e8ca40fa4c
12484+
languageName: node
12485+
linkType: hard
12486+
1242112487
"hosted-git-info@npm:^2.1.4":
1242212488
version: 2.8.9
1242312489
resolution: "hosted-git-info@npm:2.8.9"
@@ -13803,6 +13869,15 @@ __metadata:
1380313869
languageName: node
1380413870
linkType: hard
1380513871

13872+
"jackspeak@npm:^4.1.1":
13873+
version: 4.1.1
13874+
resolution: "jackspeak@npm:4.1.1"
13875+
dependencies:
13876+
"@isaacs/cliui": "npm:^8.0.2"
13877+
checksum: 10/ffceb270ec286841f48413bfb4a50b188662dfd599378ce142b6540f3f0a66821dc9dcb1e9ebc55c6c3b24dc2226c96e5819ba9bd7a241bd29031b61911718c7
13878+
languageName: node
13879+
linkType: hard
13880+
1380613881
"jest-changed-files@npm:^29.5.0":
1380713882
version: 29.5.0
1380813883
resolution: "jest-changed-files@npm:29.5.0"
@@ -14421,6 +14496,29 @@ __metadata:
1442114496
languageName: node
1442214497
linkType: hard
1442314498

14499+
"js-yaml@npm:4.1.1":
14500+
version: 4.1.1
14501+
resolution: "js-yaml@npm:4.1.1"
14502+
dependencies:
14503+
argparse: "npm:^2.0.1"
14504+
bin:
14505+
js-yaml: bin/js-yaml.js
14506+
checksum: 10/a52d0519f0f4ef5b4adc1cde466cb54c50d56e2b4a983b9d5c9c0f2f99462047007a6274d7e95617a21d3c91fde3ee6115536ed70991cd645ba8521058b78f77
14507+
languageName: node
14508+
linkType: hard
14509+
14510+
"js-yaml@npm:^3.10.0":
14511+
version: 3.14.2
14512+
resolution: "js-yaml@npm:3.14.2"
14513+
dependencies:
14514+
argparse: "npm:^1.0.7"
14515+
esprima: "npm:^4.0.0"
14516+
bin:
14517+
js-yaml: bin/js-yaml.js
14518+
checksum: 10/172e0b6007b0bf0fc8d2469c94424f7dd765c64a047d2b790831fecef2204a4054eabf4d911eb73ab8c9a3256ab8ba1ee8d655b789bf24bf059c772acc2075a1
14519+
languageName: node
14520+
linkType: hard
14521+
1442414522
"js-yaml@npm:^3.13.1, js-yaml@npm:^3.6.1":
1442514523
version: 3.14.1
1442614524
resolution: "js-yaml@npm:3.14.1"
@@ -14955,6 +15053,17 @@ __metadata:
1495515053
languageName: node
1495615054
linkType: hard
1495715055

15056+
"lockfile-lint-api@npm:5.9.2":
15057+
version: 5.9.2
15058+
resolution: "lockfile-lint-api@npm:5.9.2"
15059+
dependencies:
15060+
"@yarnpkg/parsers": "npm:^3.0.0-rc.48.1"
15061+
debug: "npm:^4.3.4"
15062+
object-hash: "npm:^3.0.0"
15063+
checksum: 10/f317e0cf31921404c4182e3c2a4b8f3a24c62c3f6d03ebb616d9ebd7ffcb168f903cbb6d175a630244923a0f86aadd3b247f85e635a8b937122b19ebf4fc0508
15064+
languageName: node
15065+
linkType: hard
15066+
1495815067
"lodash.debounce@npm:^4.0.8":
1495915068
version: 4.0.8
1496015069
resolution: "lodash.debounce@npm:4.0.8"
@@ -15076,6 +15185,13 @@ __metadata:
1507615185
languageName: node
1507715186
linkType: hard
1507815187

15188+
"lru-cache@npm:^11.0.0":
15189+
version: 11.2.2
15190+
resolution: "lru-cache@npm:11.2.2"
15191+
checksum: 10/fa7919fbf068a739f79a1ad461eb273514da7246cebb9dca68e3cd7ba19e3839e7e2aaecd9b72867e08038561eeb96941189e89b3d4091c75ced4f56c71c80db
15192+
languageName: node
15193+
linkType: hard
15194+
1507915195
"lru-cache@npm:^4.0.0":
1508015196
version: 4.1.5
1508115197
resolution: "lru-cache@npm:4.1.5"
@@ -16252,6 +16368,15 @@ __metadata:
1625216368
languageName: node
1625316369
linkType: hard
1625416370

16371+
"minimatch@npm:^10.1.1":
16372+
version: 10.1.1
16373+
resolution: "minimatch@npm:10.1.1"
16374+
dependencies:
16375+
"@isaacs/brace-expansion": "npm:^5.0.0"
16376+
checksum: 10/110f38921ea527022e90f7a5f43721838ac740d0a0c26881c03b57c261354fb9a0430e40b2c56dfcea2ef3c773768f27210d1106f1f2be19cde3eea93f26f45e
16377+
languageName: node
16378+
linkType: hard
16379+
1625516380
"minimatch@npm:^3.0.0, minimatch@npm:^3.0.2, minimatch@npm:^3.0.4, minimatch@npm:^3.0.5, minimatch@npm:^3.1.1, minimatch@npm:^3.1.2":
1625616381
version: 3.1.2
1625716382
resolution: "minimatch@npm:3.1.2"
@@ -16543,6 +16668,7 @@ __metadata:
1654316668
"@curveball/core": "npm:0.21.1"
1654416669
"@curveball/router": "npm:0.6.0"
1654516670
"@lavamoat/allow-scripts": "npm:3.4.0"
16671+
"@lavamoat/git-safe-dependencies": "npm:0.3.1"
1654616672
"@lavamoat/preinstall-always-fail": "npm:2.1.1"
1654716673
"@react-native-async-storage/async-storage": "npm:1.18.2"
1654816674
"@react-native-community/checkbox": "npm:0.5.16"
@@ -17079,6 +17205,13 @@ __metadata:
1707917205
languageName: node
1708017206
linkType: hard
1708117207

17208+
"object-hash@npm:^3.0.0":
17209+
version: 3.0.0
17210+
resolution: "object-hash@npm:3.0.0"
17211+
checksum: 10/f498d456a20512ba7be500cef4cf7b3c183cc72c65372a549c9a0e6dd78ce26f375e9b1315c07592d3fde8f10d5019986eba35970570d477ed9a2a702514432a
17212+
languageName: node
17213+
linkType: hard
17214+
1708217215
"object-inspect@npm:^1.12.2, object-inspect@npm:^1.12.3, object-inspect@npm:^1.9.0":
1708317216
version: 1.12.3
1708417217
resolution: "object-inspect@npm:1.12.3"
@@ -17778,6 +17911,16 @@ __metadata:
1777817911
languageName: node
1777917912
linkType: hard
1778017913

17914+
"path-scurry@npm:^2.0.0":
17915+
version: 2.0.1
17916+
resolution: "path-scurry@npm:2.0.1"
17917+
dependencies:
17918+
lru-cache: "npm:^11.0.0"
17919+
minipass: "npm:^7.1.2"
17920+
checksum: 10/1e9c74e9ccf94d7c16056a5cb2dba9fa23eec1bc221ab15c44765486b9b9975b4cd9a4d55da15b96eadf67d5202e9a2f1cec9023fbb35fe7d9ccd0ff1891f88b
17921+
languageName: node
17922+
linkType: hard
17923+
1778117924
"path-to-regexp@npm:0.1.7":
1778217925
version: 0.1.7
1778317926
resolution: "path-to-regexp@npm:0.1.7"
@@ -21701,6 +21844,13 @@ __metadata:
2170121844
languageName: node
2170221845
linkType: hard
2170321846

21847+
"tslib@npm:^2.4.0":
21848+
version: 2.8.1
21849+
resolution: "tslib@npm:2.8.1"
21850+
checksum: 10/3e2e043d5c2316461cb54e5c7fe02c30ef6dccb3384717ca22ae5c6b5bc95232a6241df19c622d9c73b809bea33b187f6dbc73030963e29950c2141bc32a79f7
21851+
languageName: node
21852+
linkType: hard
21853+
2170421854
"tsutils@npm:^3.17.1, tsutils@npm:^3.21.0":
2170521855
version: 3.21.0
2170621856
resolution: "tsutils@npm:3.21.0"

0 commit comments

Comments
Β (0)