Skip to content

Pinned-Dependencies #4422

Discussion options

You must be logged in to vote

The remediations steps don't spell out what "npmCommand not pinned by hash" or how I'm supposed to resolve it. I basically have no idea what I'm supposed to do here

Agreed, the resolution steps aren't clear in the output.

In this case, it's looking for npm ci and not npm i:

RUN cd /app/MHA && npm ci && npm run build --if-present

Please double check your Dockerfile still works like this, but the warning in Scorecard should go away (--local lets you point Scorecard at local files so you don't need to merge and test):

scorecard --local=/tmp/MHA --checks Pinned-Dependencies --format json --show-details | jq

# omitted ...

      "details": [
        "Info:  21 out of  21 GitHub-owned GitHub…

Replies: 1 comment

Comment options

You must be logged in to vote
0 replies
Answer selected by stephenegriffin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants