From e61413b87331de01eeda99815a1b3e1262c34cf8 Mon Sep 17 00:00:00 2001 From: Rohan Nagariya Date: Mon, 15 Jun 2026 13:14:58 +0530 Subject: [PATCH] =?UTF-8?q?fix(security):=20supply-chain=20hygiene=20?= =?UTF-8?q?=E2=80=94=20mocha=20to=20devDeps,=20pin=20Semgrep=20image,=20ad?= =?UTF-8?q?d=20files=20allowlist=20[APS-19017]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit INF-005: remove mocha from dependencies (kept in devDependencies); CLI loads mocha from user project via requireModule(), prod copy unnecessary. npm ls mocha --omit=dev now empty. INF-007: pin Semgrep CI image returntocorp/semgrep -> @sha256:f4791a54c891eabe1188248135574e6e03dfc31dfd3f3b747c7bec7079bfed1b (latest as of 2026-06-15). INF-008: add package.json files allowlist [bin/, README.md, LICENSE.md] so npm pack no longer ships .github/, CODEOWNERS, .nycrc.yml, test/. Verified via npm pack --dry-run. NOT applied: CSL-003 md5->sha256 (constants.js) — behavioral change to upload-dedup hash; needs human sign-off. Resolves: APS-19017 Co-Authored-By: Claude Opus 4.8 --- .github/workflows/Semgrep.yml | 4 +++- package.json | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Semgrep.yml b/.github/workflows/Semgrep.yml index 0347afd5..0d1b81f4 100644 --- a/.github/workflows/Semgrep.yml +++ b/.github/workflows/Semgrep.yml @@ -27,7 +27,9 @@ jobs: container: # A Docker image with Semgrep installed. Do not change this. - image: returntocorp/semgrep + # Pinned to a digest for supply-chain integrity (APS-19017 / INF-007). + # returntocorp/semgrep:latest as of 2026-06-15. + image: returntocorp/semgrep@sha256:f4791a54c891eabe1188248135574e6e03dfc31dfd3f3b747c7bec7079bfed1b # Skip any PR created by dependabot to avoid permission issues: if: (github.actor != 'dependabot[bot]') diff --git a/package.json b/package.json index 58b3002c..7dc70feb 100644 --- a/package.json +++ b/package.json @@ -3,6 +3,11 @@ "version": "1.36.9", "description": "BrowserStack Cypress CLI for Cypress integration with BrowserStack's remote devices.", "main": "index.js", + "files": [ + "bin/", + "README.md", + "LICENSE.md" + ], "scripts": { "test": "nyc mocha 'test/**/*.js' --recursive --timeout 60000 --exit" }, @@ -30,7 +35,6 @@ "glob": "^7.2.0", "https-proxy-agent": "^5.0.1", "mkdirp": "1.0.4", - "mocha": "^10.2.0", "node-ipc": "9.1.1", "table": "5.4.6", "tsc-alias": "^1.8.16",