Skip to content

chore: supply-chain hardening top-up #421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
erik1o6 wants to merge 2 commits into
base: development
Choose a base branch
from
Open

chore: supply-chain hardening top-up #421

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ef28fa9
chore: supply-chain hardening top-up
erik1o6 May 11, 2026
682b115
chore: disable persisted checkout credentials
VSBDev May 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/npm-audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ jobs:
issues: write
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false

- uses: actions/setup-node@v4
with:
Expand Down
3 changes: 3 additions & 0 deletions .npmrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,5 @@
save-exact=true
min-release-age=7
audit-level=high
engine-strict=true
fund=false
Comment on lines +3 to +5

@coderabbitai coderabbitai Bot May 11, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify package.json engines field matches .nvmrc and documented npm version

# Check if package.json exists and extract engines field
if [ -f "package.json" ]; then
  echo "=== package.json engines field ==="
  jq '.engines' package.json
  
  echo -e "\n=== Checking Node version compatibility ==="
  node_version=$(jq -r '.engines.node // "not specified"' package.json)
  echo "engines.node: $node_version"
  
  echo -e "\n=== Checking npm version ==="
  npm_version=$(jq -r '.engines.npm // "not specified"' package.json)
  echo "engines.npm: $npm_version"
  
  echo -e "\n=== Checking packageManager field ==="
  package_manager=$(jq -r '.packageManager // "not specified"' package.json)
  echo "packageManager: $package_manager"
else
  echo "ERROR: package.json not found"
  exit 1
fi

Repository: euler-xyz/euler-lite

Length of output: 301

engine-strict=true requires missing engines field in package.json.

The engine-strict=true setting will fail on npm install because package.json does not define the engines field. While packageManager is set to npm@11.10.0, this does not satisfy engine-strict=true, which specifically requires the engines.node and engines.npm fields.

Either add the engines field to package.json specifying Node and npm versions, or remove engine-strict=true from .npmrc. The other settings (audit-level=high and fund=false) are acceptable.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.npmrc around lines 3 - 5, The .npmrc sets engine-strict=true but
package.json lacks an engines field; either remove engine-strict=true from
.npmrc or add an "engines" entry to package.json (e.g., engines.node and
engines.npm) to match the declared packageManager (packageManager:
"npm@11.10.0"); update the engines values to the intended Node and npm versions
and commit that change so npm install will not fail due to missing engines.

1 change: 1 addition & 0 deletions .nvmrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
24