Add test to check package-lock.json files for suspicious dependencies #2861

labkey-tchad · 2026-01-28T21:39:16Z

Rationale

By requiring all NPM dependencies to come from registry.npmjs.org or labkey.jfrog.io, we can reduce the risk of downloading malicious code.

Related Pull Requests

N/A

Changes

Add test to check package-lock.json files for suspicious dependencies

labkey-alan

Looks good to me.

labkey-tchad added 11 commits January 15, 2026 15:56

Framework for package lock scan

514552b

Merge remote-tracking branch 'origin/develop' into packageLockTest

6e6ef27

Scan all package.json files for URL dependencies

06e1b49

Merge remote-tracking branch 'origin/develop' into packageLockTest

4154150

Improve package-lock check

c1baf60

Update PackageLockJsonTest to be parameterized

9901db0

Formatting cleanup

91b5451

Formatting cleanup

1b88bd7

Minor cleanup

35edf71

Merge remote-tracking branch 'origin/develop' into fb_packageLockTest

05a2bf6

Better name

b818ed8

labkey-tchad added this to the 26.02 milestone Jan 28, 2026

labkey-tchad requested a review from labkey-alan January 28, 2026 21:39

labkey-alan approved these changes Jan 29, 2026

View reviewed changes

labkey-tchad added 2 commits January 29, 2026 11:17

Merge remote-tracking branch 'origin/develop' into fb_packageLockTest

0b35df0

Add task to run package lock test

bd9ef06

labkey-tchad merged commit 71642ca into develop Jan 29, 2026
5 checks passed

labkey-tchad deleted the fb_packageLockTest branch January 29, 2026 21:40

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add test to check package-lock.json files for suspicious dependencies #2861

Add test to check package-lock.json files for suspicious dependencies #2861

labkey-tchad commented Jan 28, 2026

Uh oh!

labkey-alan left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Add test to check package-lock.json files for suspicious dependencies #2861

Add test to check package-lock.json files for suspicious dependencies #2861

Conversation

labkey-tchad commented Jan 28, 2026

Rationale

Related Pull Requests

Changes

Uh oh!

labkey-alan left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants