Skip to content

fix(security): dependency-pinning script reports false positives on package.json metadata #267

Closed
#273
Closed
fix(security): dependency-pinning script reports false positives on package.json metadata#267
#273
Assignees
WilliamBerryiii
Labels
bugSomething isn't workinggood first issueGood for newcomerssecuritySecurity-related changes or concerns
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Jan 24, 2026

Summary

The Test-DependencyPinning.ps1 script incorrectly flags package.json metadata fields (name, displayName, version, description, publisher, path) as unpinned npm dependencies.

Current Behavior

Running npm run dependency-pinning produces 169 violations, but most are false positives:

{
  "File": "extension\\package.json",
  "Line": 2,
  "Type": "npm",
  "Name": "name",
  "Version": "hve-core",
  "Description": "Unpinned dependency: NPM dependencies in package.json"
}

The script's regex pattern matches any "key": "value" pair in package.json rather than specifically targeting the dependencies and devDependencies sections.

Expected Behavior

The script should only flag actual npm dependencies in:

  • dependencies
  • devDependencies
  • peerDependencies
  • optionalDependencies

Acceptance Criteria

  • Update Test-DependencyPinning.ps1 to parse package.json structure and only check dependency sections
  • Compliance score accurately reflects actual dependency pinning status
  • Existing Pester tests pass
  • Add test case for package.json metadata fields (should not be flagged)

References

Metadata

Metadata

Assignees

Labels

bugSomething isn't workinggood first issueGood for newcomerssecuritySecurity-related changes or concerns

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions