Skip to content

chore(ci): add lockfile-lint PR check for yarn.lock injection prevention#7114

Open
jstirnaman wants to merge 1 commit intomasterfrom
worktree-chore-security-npmrc-cooldown
Open

chore(ci): add lockfile-lint PR check for yarn.lock injection prevention#7114
jstirnaman wants to merge 1 commit intomasterfrom
worktree-chore-security-npmrc-cooldown

Conversation

@jstirnaman
Copy link
Copy Markdown
Contributor

@jstirnaman jstirnaman commented Apr 17, 2026

Summary

Add a GitHub Actions workflow that validates yarn.lock on every PR, preventing lockfile injection attacks.

What it does

Runs lockfile-lint (v5.0.0, via npx) to verify that every resolved URL in yarn.lock:

  • Uses HTTPS (rejects http://, git://, or bare URLs)
  • Points to registry.yarnpkg.com (rejects unknown/attacker-controlled hosts)

Why this matters

Lockfile injection is a supply-chain attack where a PR modifies yarn.lock to redirect package resolution to attacker-controlled hosts. The change is easy to miss in code review because lockfiles are large and auto-generated. This check catches it automatically.

Reference: Lockfile injection research (Liran Tal, 2019)

Workflow design

  • Trigger: PRs modifying yarn.lock
  • Sparse checkout: Only fetches yarn.lock (not the full repo)
  • SHA-pinned actions: actions/checkout@v6.0.2, actions/setup-node@v6.3.0
  • Least privilege: permissions: contents: read, persist-credentials: false
  • Zero new dependencies: Uses npx --yes lockfile-lint@5.0.0 (not added to package.json)

Baseline verified

All 802 resolved entries in yarn.lock currently point to https://registry.yarnpkg.com/ — no false positives expected.

Test plan

  • actionlint passes on the new workflow
  • lockfile-lint reports "No issues detected" on current yarn.lock
  • Simulated injection (http://evil.example.com) correctly detected and exits non-zero
  • PR check appears and passes when this PR is reviewed

@jstirnaman
chore(ci): add lockfile-lint PR check to prevent yarn.lock injection
1eed8ea 
Add a GitHub Actions workflow that validates yarn.lock on every PR,
ensuring all resolved URLs use HTTPS and point to registry.yarnpkg.com.
Prevents lockfile injection attacks where a PR modifies resolved URLs
to fetch packages from attacker-controlled hosts.

Uses lockfile-lint@5.0.0 via npx (no new dependencies in package.json).
SHA-pinned actions, sparse checkout of yarn.lock only, least-privilege
permissions.
@jstirnaman jstirnaman requested a review from a team as a code owner April 17, 2026 01:52
@jstirnaman jstirnaman requested review from sanderson and removed request for a team April 17, 2026 01:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sanderson sanderson Awaiting requested review from sanderson sanderson is a code owner automatically assigned from influxdata/docs-team

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jstirnaman