You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
extension/package-lock.json with integrity hashes not yet committed
No acceptance criteria items checked off
Summary
OpenSSF Scorecard reports 4 Pinned-Dependencies alerts for npm install -g @vscode/[email protected] commands across 3 extension workflow files. Version pinning alone does not satisfy the Scorecard check — cryptographic hash pinning is required.
This is a recurrence of #291 (closed 2026-01-27) which proposed the same fix. The alerts persist on main, indicating the fix was either not fully applied or was overridden.
npm install -g bypasses lockfile integrity checks. Even with a version pin (@3.7.1), the package is fetched at install time without a cryptographic hash comparison. OpenSSF Scorecard requires either:
A lockfile-backed install (npm ci) with integrity hashes, or
An explicit SHA-256 verification step
Proposed Fix
Convert global npm install -g to a lockfile-backed local install:
Add @vscode/vsce as a devDependency to extension/package.json
Commit extension/package-lock.json with integrity hashes
- run: cd extension && npm ci
- run: npx vsce working-directory: extension
This eliminates the global install and leverages npm's built-in integrity verification via the lockfile.
Alternative
If the local devDependency approach creates issues with workflow structure, use scripts/security/tool-checksums.json (existing pattern in the repo) to verify a downloaded tarball hash before installing.
Acceptance Criteria
No global npm install -g @vscode/vsce commands remain in any workflow
extension/package-lock.json contains integrity hashes for vsce
extension-package.yml workflow passes CI (extension packages successfully)
extension-publish.yml workflow passes CI (extension publishes successfully)
extension-publish-prerelease.yml workflow passes CI (both jobs)
Between each phase, type /clear or start a new chat to reset context.
Warning
The issue proposes adding extension/package.json as a devDependency target, but extension/package.json does not exist in the repository. The extension uses extension/templates/package.template.json instead. Research should investigate
how the template-based packaging workflow interacts with the proposed fix.
/task-research topic="resolving vsce npm pinned-dependencies alerts"
Research how to resolve OpenSSF Scorecard Pinned-Dependencies alerts for npm install -g
@vscode/vsce commands in extension workflows. Investigate:
1. How the extension packaging workflow works (template-based, not standard package.json)
2. Whether adding extension/package.json and extension/package-lock.json is compatible
with the template-based build system
3. The alternative approach using scripts/security/tool-checksums.json for hash verification
4. How npm ci handles devDependencies vs npm install -g for the vsce tool
5. Whether npx vsce can replace direct vsce CLI invocation in workflow steps
6. Impact on all three extension workflow files (package, publish, publish-prerelease)
7. The existing prepare-extension.ps1 script and how it interacts with packaging
Output: Research document at .copilot-tracking/research/{{YYYY-MM-DD}}-vsce-pinning-research.md
Phase 2: Plan
Source Material
Research document from Phase 1
Steps
Type /clear to start a fresh context.
Open the research document from Phase 1.
Copy and run this prompt:
/task-plan
Create an implementation plan for resolving the vsce Pinned-Dependencies alerts.
The plan should address the template-based packaging system, select between the
devDependency approach and the tool-checksums approach, and specify changes to
all three extension workflow files.
Output: Plan at .copilot-tracking/plans/ and details at .copilot-tracking/details/
Phase 3: Implement
Source Material
Plan from Phase 2
Steps
Type /clear to start a fresh context.
Open the plan document from Phase 2.
Copy and run this prompt:
/task-implement
Implement the vsce pinning fix across all three extension workflow files following
the plan. Replace npm install -g commands with the selected approach (lockfile-backed
install or hash-verified download).
Output: Modified workflow files and any new files, changes log at .copilot-tracking/changes/
Phase 4: Review
Source Material
Plan from Phase 2
Changes log from Phase 3
Steps
Type /clear to start a fresh context.
Open the plan and changes log.
Copy and run this prompt:
/task-review
Review the vsce pinning implementation. Run these validation commands:
- npm run lint:yaml (validate all three extension workflow files)
Verify that no npm install -g @vscode/vsce commands remain, that the replacement
approach provides cryptographic hash verification, and that extension packaging
still works correctly in all three workflow contexts.
Output: Review log at .copilot-tracking/reviews/
After Review
Pass: All criteria met. Create a PR referencing this issue.
Iterate: Review found issues. Run /clear, return to Phase 3 with the review feedback.
Escalate: Fundamental design issue discovered. Run /clear, return to Phase 1 to research the gap.
Note
Partial Completion Status (assessed 2026-02-25)
Completed:
@vscode/[email protected]across all 3 extension workflow filesRemaining:
npm install -gbypassing lockfile integrity checksextension/package-lock.jsonwith integrity hashes not yet committedSummary
OpenSSF Scorecard reports 4 Pinned-Dependencies alerts for
npm install -g @vscode/[email protected]commands across 3 extension workflow files. Version pinning alone does not satisfy the Scorecard check — cryptographic hash pinning is required.This is a recurrence of #291 (closed 2026-01-27) which proposed the same fix. The alerts persist on
main, indicating the fix was either not fully applied or was overridden.Alert Details
extension-package.ymlnpm install -g @vscode/[email protected]extension-publish-prerelease.ymlnpm install -g @vscode/[email protected]extension-publish-prerelease.ymlnpm install -g @vscode/[email protected]extension-publish.ymlnpm install -g @vscode/[email protected]Root Cause
npm install -gbypasses lockfile integrity checks. Even with a version pin (@3.7.1), the package is fetched at install time without a cryptographic hash comparison. OpenSSF Scorecard requires either:npm ci) with integrity hashes, orProposed Fix
Convert global
npm install -gto a lockfile-backed local install:@vscode/vsceas a devDependency toextension/package.jsonextension/package-lock.jsonwith integrity hashesnpm install -g @vscode/[email protected]steps with:This eliminates the global install and leverages npm's built-in integrity verification via the lockfile.
Alternative
If the local devDependency approach creates issues with workflow structure, use
scripts/security/tool-checksums.json(existing pattern in the repo) to verify a downloaded tarball hash before installing.Acceptance Criteria
npm install -g @vscode/vscecommands remain in any workflowextension/package-lock.jsoncontains integrity hashes for vsceextension-package.ymlworkflow passes CI (extension packages successfully)extension-publish.ymlworkflow passes CI (extension publishes successfully)extension-publish-prerelease.ymlworkflow passes CI (both jobs)References
scripts/security/tool-checksums.jsonfor hash verificationHow to Build This
This is a security fix implementation task using the task-implementor workflow.
Workflow:
/task-research→/task-plan→/task-implement→/task-reviewTip
Between each phase, type
/clearor start a new chat to reset context.Warning
The issue proposes adding
extension/package.jsonas a devDependency target, butextension/package.jsondoes not exist in the repository. The extension usesextension/templates/package.template.jsoninstead. Research should investigatehow the template-based packaging workflow interacts with the proposed fix.
Phase 1: Research
Source Material
#file:.github/workflows/extension-package.yml(line 58: unpinned vsce install)#file:.github/workflows/extension-publish.yml(line 115: unpinned vsce install)#file:.github/workflows/extension-publish-prerelease.yml(lines 72, 130: unpinned vsce install)#file:extension/templates/package.template.json(template-based packaging)#file:scripts/security/tool-checksums.json(hash verification pattern)#file:scripts/extension/prepare-extension.ps1(extension build process)Steps
/clearto start a fresh context.Output: Research document at
.copilot-tracking/research/{{YYYY-MM-DD}}-vsce-pinning-research.mdPhase 2: Plan
Source Material
Steps
/clearto start a fresh context.Output: Plan at
.copilot-tracking/plans/and details at.copilot-tracking/details/Phase 3: Implement
Source Material
Steps
/clearto start a fresh context.Output: Modified workflow files and any new files, changes log at
.copilot-tracking/changes/Phase 4: Review
Source Material
Steps
/clearto start a fresh context.Output: Review log at
.copilot-tracking/reviews/After Review
/clear, return to Phase 3 with the review feedback./clear, return to Phase 1 to research the gap.Authoring Standards
.github/instructions/hve-core/workflows.instructions.mdscripts/security/Success Criteria
npm install -g @vscode/vscecommands remain in any workflowextension-package.ymlworkflow still packages the extension correctlyextension-publish.ymlworkflow still publishes correctlyextension-publish-prerelease.ymlworkflow still works for both jobsnpm run lint:yamlpasses for all modified workflow files