added security best practises (#212)

* added security best practises

* Vulnerability fixes

* updating .md files with npm ci

* Handle package files conditions.

* Handle package files conditions.

---------

Co-authored-by: Aniket Shinde <aniket.shinde@checkmarx.com>

Author: cx-atish-jadhav

.github/workflows/ci.yml

@@ -9,25 +9,45 @@ jobs:
     runs-on: cx-public-ubuntu-x64
     steps:
     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+    - name: Verify single lockfile (Step 0 - Supply Chain Policy)
+      run: |
+        if [ -f yarn.lock ] && [ -f package-lock.json ]; then
+          echo "❌ ERROR: Both yarn.lock and package-lock.json found. Policy requires exactly ONE package manager. Allowed: npm + package-lock.json OR Yarn + yarn.lock"
+          exit 1
+        fi
+        if [ ! -f yarn.lock ] && [ ! -f package-lock.json ]; then
+          echo "❌ ERROR: No lockfile found. Policy requires exactly ONE package manager lockfile. Required: npm + package-lock.json OR Yarn + yarn.lock"
+          exit 1
+        fi
     - name: Use Node.js 22.11.0
       uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         node-version: 22.11.0
         registry-url: https://npm.pkg.github.com/
-    - run: npm ci
+    - run: npm ci --ignore-scripts
     - name: Run Unit Tests
 
       run: npm run test:unit
   integration-tests:
     runs-on: cx-public-ubuntu-x64
     steps:
     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+    - name: Verify single lockfile (Step 0 - Supply Chain Policy)
+      run: |
+        if [ -f yarn.lock ] && [ -f package-lock.json ]; then
+          echo "❌ ERROR: Both yarn.lock and package-lock.json found. Policy requires exactly ONE package manager. Allowed: npm + package-lock.json OR Yarn + yarn.lock"
+          exit 1
+        fi
+        if [ ! -f yarn.lock ] && [ ! -f package-lock.json ]; then
+          echo "❌ ERROR: No lockfile found. Policy requires exactly ONE package manager lockfile. Required: npm + package-lock.json OR Yarn + yarn.lock"
+          exit 1
+        fi
     - name: Use Node.js 22.11.0
       uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         node-version: 22.11.0
         registry-url: https://npm.pkg.github.com/
-    - run: npm ci
+    - run: npm ci --ignore-scripts
     - name: Code Linting
       run: npm run lint
     - run: npm run build --if-present

.github/workflows/release.yml

@@ -74,7 +74,17 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Git Configuration 
+      - name: Verify single lockfile (Step 0 - Supply Chain Policy)
+        run: |
+          if [ -f yarn.lock ] && [ -f package-lock.json ]; then
+            echo "❌ ERROR: Both yarn.lock and package-lock.json found. Policy requires exactly ONE package manager. Allowed: npm + package-lock.json OR Yarn + yarn.lock"
+            exit 1
+          fi
+          if [ ! -f yarn.lock ] && [ ! -f package-lock.json ]; then
+            echo "❌ ERROR: No lockfile found. Policy requires exactly ONE package manager lockfile. Required: npm + package-lock.json OR Yarn + yarn.lock"
+            exit 1
+          fi
+      - name: Git Configuration
         run: |
           git config user.name github-actions
           git config user.email github-actions@github.com
@@ -137,7 +147,7 @@ jobs:
 
       - name: NPM ci and build
         run: |
-          npm ci
+          npm ci --ignore-scripts
           npm run build
 
       - name: Create Pull Request

.npmrc

@@ -1,2 +1,3 @@
 # Default registry for most packages
-registry=https://npm.echohq.com/
+registry=https://npm.echohq.com/
+ignore-scripts=true

CLAUDE.md

@@ -188,7 +188,7 @@ CxWrapper (Main Entry Point)
 
 2. **Install dependencies**
    ```bash
-   npm install
+   npm ci
    ```
 
 3. **Verify installation**

README.md

@@ -53,8 +53,8 @@ To be able to build the code you should have:
 ### Setting Up
 
 In your terminal, run:
-```
-- npm install
+```bash
+npm ci
 ```
 
 To run integrations tests, you need to set up environment variables:

package-lock.json

@@ -58,6 +58,7 @@
   "overrides": {
     "bluebird": "3.7.2",
     "flatted": "^3.4.2",
+    "js-yaml": "4.2.0",
     "lodash": "^4.18.0",
     "minimatch": "^3.1.2",
     "underscore": "^1.13.8",