Skip to content

fix: pin npm to specific version in create-release workflow#17

Merged
dgilmanuni merged 2 commits into
mainfrom
fix/ci-pin-npm-version
Apr 2, 2026
Merged

fix: pin npm to specific version in create-release workflow#17
dgilmanuni merged 2 commits into
mainfrom
fix/ci-pin-npm-version

Conversation

@dgilmanuni

@dgilmanuni dgilmanuni commented Apr 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Pin npm@latest to npm@11.7.0 in the create-release workflow to prevent automatically pulling compromised versions of npm or its dependencies.

What changed

  • .github/workflows/create-release.yaml: Changed npm install -g npm@latest to npm install -g npm@11.7.0

Motivation

The axios npm supply chain compromise (2026-03-30) demonstrated the risk of using unpinned @latest tags in CI pipelines. An attacker who publishes a malicious version to npm can immediately compromise any workflow that installs @latest. Pinning to a known-good version eliminates this attack vector.

Test plan

  • Verify the create-release workflow still runs successfully with the pinned npm version
  • Confirm npm@11.7.0 is a valid, uncompromised release

🤖 Generated with Claude Code

@dgilmanuni @claude
fix: pin npm to specific version in create-release workflow
f6d5a75 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dgilmanuni dgilmanuni requested a review from a team as a code owner April 1, 2026 00:33
@semgrep-code-uniswap

semgrep-code-uniswap Bot commented Apr 1, 2026

Copy link
Copy Markdown

Semgrep found 1 npm-package-in-action-not-pinned-to-commit-sha finding:

  • .github/workflows/create-release.yaml

$...LIB
An npm script inside an action on GitHub is not pinned to a full length commit SHA. Pinning the npm package to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

semgrep-code-uniswap[bot]
semgrep-code-uniswap Bot reviewed Apr 1, 2026
View reviewed changes
Comment thread .github/workflows/create-release.yaml Outdated

- name: Install npm
run: npm install -g npm@latest
run: npm install -g npm@11.7.0

@semgrep-code-uniswap semgrep-code-uniswap Bot Apr 1, 2026
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$...LIB
An npm script inside an action on GitHub is not pinned to a full length commit SHA. Pinning the npm package to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Fixed in commit 3efa945

@dgilmanuni dgilmanuni Apr 1, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ar Pinning npm itself to a git commit SHA is not practical — it's the package manager, not a third-party dependency. Version pinning to @11.7.0 is sufficient.

semgrep-code-uniswap[bot]
semgrep-code-uniswap Bot reviewed Apr 1, 2026
View reviewed changes
Comment thread .github/workflows/create-release.yaml Outdated

- name: Install npm
run: npm install -g npm@latest
run: npm install -g npm@11.7.0

@semgrep-code-uniswap semgrep-code-uniswap Bot Apr 1, 2026
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$...LIB
An npm script inside an action on GitHub is not pinned to a full length commit SHA. Pinning the npm package to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

🌟 Fixed in commit 3efa945 🌟

@semgrep-code-uniswap

semgrep-code-uniswap Bot commented Apr 1, 2026

Copy link
Copy Markdown

Semgrep found 1 npm-package-in-action-not-pinned-to-commit-sha finding:

  • .github/workflows/create-release.yaml

$...LIB
An npm script inside an action on GitHub is not pinned to a full length commit SHA. Pinning the npm package to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

@dgilmanuni @claude
fix: pin npm install to git commit SHA instead of registry version
3efa945 
Use github:npm/cli#<sha> to bypass the npm registry entirely,
preventing supply chain attacks on the package manager itself.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dgilmanuni dgilmanuni merged commit ff21e48 into main Apr 2, 2026
4 checks passed
@dgilmanuni dgilmanuni deleted the fix/ci-pin-npm-version branch April 2, 2026 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bradcush bradcush bradcush approved these changes

@marktoda marktoda marktoda approved these changes

+1 more reviewer

@semgrep-code-uniswap semgrep-code-uniswap[bot] semgrep-code-uniswap[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dgilmanuni @bradcush @marktoda