Class: Rules::MissingFrozenLockfile

Inherits:

Base

• Object
• Base
• Rules::MissingFrozenLockfile

Defined in:

lib/rules/missing_frozen_lockfile.rb

Constant Summary

INSTALL_WITHOUT_LOCK =

/(?:npm|pnpm|yarn)\s+install(?!\s+(-g|--global|--frozen-lockfile|--ci|--immutable))/

Instance Method Summary

• #check(workflow) ⇒ Object
• #description ⇒ Object
• #name ⇒ Object
• #severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ Object

# File 'lib/rules/missing_frozen_lockfile.rb', line 9

def check(workflow)
  findings = []

  workflow.raw_lines.each_with_index do |line, i|
    next unless line.match?(INSTALL_WITHOUT_LOCK)
    next if line.match?(/--frozen-lockfile|--ci|--immutable|npm ci/)
    next if line.strip.start_with?("#")

    findings << finding(workflow,
      line: i + 1,
      code: line.strip,
      message: "Package install without --frozen-lockfile — dependency resolution may differ from tested versions",
      fix: "Use pnpm install --frozen-lockfile or npm ci"
    )
  end

  findings
end

#description ⇒ Object

# File 'lib/rules/missing_frozen_lockfile.rb', line 4

def description = "Package install without lockfile enforcement"

#name ⇒ Object

# File 'lib/rules/missing_frozen_lockfile.rb', line 3

def name = "missing-frozen-lockfile"

#severity ⇒ Object

# File 'lib/rules/missing_frozen_lockfile.rb', line 5

def severity = :medium