Merge pull request #682 from docker/sec-cli/npm-ci-20260612-184903

fix: replace npm install with npm ci (20260612-184903)
fix: use lockfile-aware install commands
2026-06-13 08:48:19 +01:00 · 2026-06-12 14:10:33 -05:00 · 2026-06-12 18:49:05 +00:00
2 changed files with 3 additions and 3 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -35,12 +35,12 @@ jobs:
          node-version: ${{ env.NODE_VERSION }}
      -
        name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
        with:
          languages: javascript-typescript
          build-mode: none
      -
        name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
        with:
          category: "/language:javascript-typescript"
--- a/dev.Dockerfile
+++ b/dev.Dockerfile
@@ -17,7 +17,7 @@ FROM base AS deps
 RUN --mount=type=bind,target=.,rw \
  --mount=type=cache,target=/src/.yarn/cache \
  --mount=type=cache,target=/src/node_modules \
-  yarn install && mkdir /vendor && cp yarn.lock /vendor
+  yarn install --immutable && mkdir /vendor && cp yarn.lock /vendor

 FROM scratch AS vendor-update
 COPY --from=deps /vendor /
Author	SHA1	Message	Date
temenuzhka-thede	020b7354dd	Merge pull request #682 from docker/sec-cli/npm-ci-20260612-184903 fix: replace npm install with npm ci (20260612-184903)	2026-06-12 14:10:33 -05:00
securityeng-bot[bot]	7f842e879c	fix: use lockfile-aware install commands	2026-06-12 18:49:05 +00:00