Skip to content

fix(expo-cicd-workflows): pin dependency versions to exact semver in package.json#53

Open
xiaolai wants to merge 1 commit into
expo:mainfrom
xiaolai:fix/nlpm-pin-dependency-versions
Open

fix(expo-cicd-workflows): pin dependency versions to exact semver in package.json#53
xiaolai wants to merge 1 commit into
expo:mainfrom
xiaolai:fix/nlpm-pin-dependency-versions

Conversation

@xiaolai

@xiaolai xiaolai commented Apr 27, 2026

Copy link
Copy Markdown

Automated audit: This PR was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the diff on its merits.

Security Fix (Low — Supply Chain Hygiene)

plugins/expo/skills/expo-cicd-workflows/scripts/package.json specifies all three dependencies with caret (^) semver ranges:

"ajv": "^8.17.1",
"ajv-formats": "^3.0.1",
"js-yaml": "^4.1.0"

Caret ranges allow automatic minor and patch upgrades. Without a committed lockfile, any fresh npm install can pull in a newer version — including one that has been supply-chain-compromised. Pinning to exact versions makes the resolved version explicit and auditable regardless of whether a lockfile is present.

Fix: Remove the ^ prefix from all three dependencies, pinning them to the versions already in use.

"ajv": "8.17.1",
"ajv-formats": "3.0.1",
"js-yaml": "4.1.0"

Intentional upgrades can still be performed via npm install ajv@latest followed by a review and re-pin — this PR simply makes the current resolved version the default.

…package.json

Co-Authored-By: Claude Code <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant