Skip to content

Please include a lock file for reproducible builds / supply-chain hardening #362

Description

@potiuk

Hi! Thanks for maintaining this action.

I'm a maintainer of apache/infrastructure-actions, where we maintain an allowlist of GitHub Actions that ASF projects are permitted to use. Part of our review process is auditing each action (and each version bump) for supply-chain risk.

While reviewing a Dependabot bump from 23.0.0 → 23.1.0 (apache/infrastructure-actions#784), I noticed the repo doesn't ship a lock file (package-lock.json / npm-shrinkwrap.json).

Would you consider committing one? The reasoning:

  • The action is bundled (dist/index.mjs via ncc), so dist/ is what actually runs at the consumer side. To audit it, a reviewer needs to reproduce the build and compare — that requires a deterministic dependency graph.
  • Without a lock file, npm install resolves transitive dependencies at build time, so two builds of the same source commit can produce different dist/ contents depending on when they were built. That makes reproducibility (and therefore review) harder for downstream consumers.
  • A compromised transitive dep at the moment dist/ is generated could be silently bundled into a release, with no signal to reviewers that anything changed in the source tree.

Adding a package-lock.json (committed to the repo) would let downstream auditors:

  1. Pin to a known dependency closure for each released SHA.
  2. Reproduce the dist/ artifact deterministically.
  3. Catch unexpected transitive-dep movement via lockfile diffs.

If you'd prefer a different mechanism (e.g. npm-shrinkwrap.json, or pinning all transitives in package.json), that would also work for our purposes — the goal is just a deterministic dependency closure per release.

Happy to send a PR with npm install --package-lock-only and the resulting lock file if that helps. Thanks for considering!

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions