ci: Add dependency-scan GitHub Actions workflow#54
Merged
kinyoklion merged 1 commit intomainfrom Mar 5, 2026
Merged
Conversation
Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263. Add policy evaluation step with bom-* artifacts pattern. Configure triggers for pull requests and main branch pushes. Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
Contributor
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
kinyoklion
changed the title
kinyoklion
approved these changes
Mar 5, 2026
kinyoklion
added a commit
that referenced
this pull request
Mar 6, 2026
**Requirements** - [x] I have added test coverage for new or changed functionality - [x] I have followed the repository's [pull request submission guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests) - [x] I have validated my changes against all supported platform versions No new test coverage needed — these are dev dependency and CI config changes only. Build, tests, and lint all pass locally. **Related issues** Fixes the Build and Test CI failure on `main` introduced by commit ae39134 (`ci: Add dependency-scan GitHub Actions workflow (#54)`). **Describe the solution you've provided** The `Build and Test` workflow on `main` is failing because `npm install` resolves `@types/node@25.x` (pulled in transitively by `jest`/`ts-jest`), which requires TypeScript 5.2+ for `Disposable`/`AsyncDisposable` support. This project uses TypeScript `^4.7.4` (resolves to 4.9.5), so the build fails with dozens of type errors from `@types/node` `.d.ts` files. This PR: 1. **Pins `@types/node` to `^20`** in `devDependencies`, which is the latest major version compatible with TypeScript 4.x. 2. **Updates the CI matrix** from Node 18 to Node 20, since Node 18 reached end-of-life on April 30, 2025. 3. **Updates the minimum Node version to 20** in `package.json` (`engines` field) and `CONTRIBUTING.md` to stay consistent with the CI matrix and reflect the EOL status of Node 18. **Describe alternatives you've considered** - **Upgrade TypeScript to 5.2+**: More forward-looking, but a larger change with potential downstream effects. - **Add `skipLibCheck: true` to `tsconfig.json`**: Quick workaround but masks legitimate type errors in `.d.ts` files. **Additional context** > **For reviewer consideration:** > - The `@types/node` pin uses `^20.19.35` (the latest 20.x at time of install). Since `package-lock.json` is gitignored, CI will always resolve the latest within `^20`. The entire 20.x line is compatible with TS 4.x, so this is safe. > - `@types/node@20` does not need to exactly match the Node runtime version — the CI matrix uses `node: latest` and `node: 20`, both of which are compatible. > - Node 18 was also exhibiting a separate CI-only type mismatch from `@openfeature/server-sdk` (older versions resolved non-deterministically due to absence of a lockfile). Replacing Node 18 with Node 20 in the matrix sidesteps this, but committing a lockfile would provide more deterministic builds long-term. > - A future follow-up to upgrade TypeScript to 5.x would allow unpinning `@types/node`. **⚠️ Note:** Bumping the `engines` field from `>=18` to `>=20` is a **semver-breaking change** for any consumers still on Node 18. If this needs to be a major version bump, the reviewer should flag accordingly. **Reviewer checklist:** - [ ] Confirm `@types/node@^20` is acceptable for TS 4.x compatibility - [ ] Confirm dropping Node 18 support entirely is acceptable (EOL since April 2025) — this affects `engines`, CI matrix, and CONTRIBUTING.md - [ ] Determine whether the minimum Node version bump warrants a semver major release - [ ] Consider whether a `package-lock.json` should be committed for deterministic CI builds (future follow-up) Link to Devin session: https://app.devin.ai/sessions/8c826fd2a9134016ae304ab312012526 Requested by: rlamb@launchdarkly.com <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > CI/config and dev-dependency-only changes; main risk is dropping Node 18 support and any downstream consumers still on 18. > > **Overview** > Updates the project’s supported Node baseline from 18 to 20 by changing the CI test matrix and the documented/declared minimum runtime (via `CONTRIBUTING.md` and `package.json` `engines`). > > Pins the development dependency on `@types/node` to the Node 20 type definitions to avoid incompatible newer typings breaking TypeScript builds. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 277240c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: rlamb@launchdarkly.com <rlamb@launchdarkly.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds dependency-scan GitHub Actions workflow to generate Software Bill of Materials (SBOM) and evaluate license policies for Node.js dependencies as part of security initiative SEC-7263.
Changes
.github/workflows/dependency-scan.ymlgenerate-nodejs-sbom- Generates SBOM for Node.js dependenciesevaluate-policy- Evaluates SBOM against LaunchDarkly license policiesactions/checkout@v4following security best practicesRequirements
Related issues
Part of security initiative SEC-7263 for adding dependency scanning across LaunchDarkly npm ecosystem repositories.
Human Review Checklist
Critical items to verify:
bom-*inevaluate-policyjob matches whatgenerate-sbomproduceslaunchdarkly/gh-actionsrepository (public actions for public repo)08eba0b27e820071cde6df949e0beb9ba4906955is correct foractions/checkout@v4Expected behavior:
Additional context
Link to Devin run: https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b
Requested by: @pkaeding