Skip to content

fix(security): pin root devDependencies to exact versions#67

Open
xiaolai wants to merge 1 commit intocodeaholicguy:mainfrom
xiaolai:fix/nlpm-pin-devdeps
Open

fix(security): pin root devDependencies to exact versions#67
xiaolai wants to merge 1 commit intocodeaholicguy:mainfrom
xiaolai:fix/nlpm-pin-devdeps

Conversation

@xiaolai
Copy link
Copy Markdown

@xiaolai xiaolai commented Apr 21, 2026

Automated audit: This PR was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the diff on its merits.

Bug

The root package.json declares devDependencies with ^ (caret) ranges:

"@nx/js": "^22.4.0",
"husky": "^9.1.7",
"nx": "^22.4.0"

The ^ operator allows npm to silently install any compatible minor or patch version. If any of these packages (or their dependencies) is compromised at a minor/patch release, npm install on a fresh checkout without a lock file would pull in the malicious version.

Fix

Pins each devDependency to the exact version currently resolved in package-lock.json:

Package Before After
@nx/js ^22.4.0 22.6.5
husky ^9.1.7 9.1.7
nx ^22.4.0 22.6.5

These are the versions already locked in package-lock.json, so no behavior changes for developers using npm ci. This only affects fresh npm install runs in environments without the lock file.

Impact

Low severity. Supply chain hardening — eliminates a window where a compromised minor/patch release could be silently installed in CI or contributor environments that don't use npm ci.

@claude @claude
fix(security): pin devDependencies to exact versions from lock file
e2ff2bc 
Co-Authored-By: Claude Code <noreply@anthropic.com>
This was referenced Apr 21, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xiaolai