Skip to content

[Bug]: Unsafe Package Publishing #1587

New issue
New issue
Closed
#1588
Closed
[Bug]: Unsafe Package Publishing#1587
#1588
Assignees
gcatanesecopilot-swe-agent
Labels
bugSomething isn't working
@gcatanese

Description

@gcatanese
gcatanese
opened on Dec 18, 2025

Unsafe Package Publishing

Overview

We have recently conducted a security scan of our GitHub repositories to ensure our CI/CD pipelines are secure. We identified misconfigurations in GitHub Actions workflows (e.g., injection risks, unpinned actions).

File: .github/workflows/npmpublish.yml

Description

The workflow publishes a package to NPM using a NODE_AUTH_TOKEN after running npm install and npm run build. This is highly risky, as a compromised dependency could lead to a malicious package being published. Actions are also not pinned by commit hash.

Remediation

  1. Pin all actions to a specific commit hash.
  2. Scope the NODE_AUTH_TOKEN specifically to the npm publish step, not the entire job.
  3. Use npm ci instead of npm install.
  4. Consider building and testing in a separate job, saving the build artifact, and publishing the verified artifact in this job.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions