Add Dependabot lockfile fixer workflow

[oleg-koval]

Summary

Add a dedicated workflow to auto-repair stale package-lock.json files on same-repo Dependabot PRs.

Problem

This repository releases from CI and commits package-lock.json, so Dependabot PRs can drift behind main and fail with lockfile-only conflicts.

Solution

Run oleg-koval/dependabot-lockfile-fixer on Dependabot pull requests with a narrow pull_request_target workflow and same-repo guard.

Changes

• add .github/workflows/dependabot-lockfile-fixer.yml
• guard execution to dependabot[bot] and same-repo PR branches
• use Node 24 and package_manager: npm
• update the README maintenance note to mention automatic lockfile refresh
• remove stale README wording about the completed master to main migration

Out of scope

• fixing dependency incompatibilities
• changing normal CI or release behavior
• handling non-lockfile merge conflicts

Related issues

None

Validation

• npm run docs:index:check

Screenshots / Demo

N/A

Risk and impact

Low. The workflow only runs for same-repo Dependabot PRs and only writes back to that PR branch.

Breaking changes

None

Documentation

Updated readme.md maintenance notes.

Reviewer notes

This is intentionally isolated from the regular CI and release workflows so the fix path stays limited to Dependabot lockfile drift.

[coderabbitai]

Warning

Rate limit exceeded

@oleg-koval has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 18 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 7 minutes and 18 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 55b24ee2-ca96-42e1-818a-63aeac4d7006

📥 Commits

Reviewing files that changed from the base of the PR and between a2613af and aec2a24.

📒 Files selected for processing (2)

• .github/workflows/dependabot-lockfile-fixer.yml
• readme.md

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/dependabot-lockfile-fixer

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Add Dependabot lockfile fixer workflow for npm

✨ Enhancement

Walkthroughs

Description

• Add dedicated GitHub Actions workflow for auto-repairing Dependabot lockfiles
• Workflow runs on Dependabot PRs with same-repo guard and narrow scope
• Uses Node 24 and oleg-koval/dependabot-lockfile-fixer action
• Update README maintenance notes about automatic lockfile refresh

Diagram

flowchart LR
  A["Dependabot PR opened/updated"] -->|triggers| B["dependabot-lockfile-fixer workflow"]
  B -->|checks| C["Same-repo & dependabot[bot] actor"]
  C -->|if valid| D["Checkout PR branch"]
  D --> E["Setup Node.js 24"]
  E --> F["Run lockfile fixer"]
  F -->|commits| G["Auto-repair package-lock.json"]

Loading

File Changes

1. .github/workflows/dependabot-lockfile-fixer.yml ⚙️ Configuration changes +45/-0

New Dependabot lockfile fixer workflow

• New workflow triggered on Dependabot PR events (opened, reopened, synchronize, ready_for_review)
• Includes guards to run only for dependabot[bot] actor and same-repo PRs
• Checks out PR branch, sets up Node.js 24, and runs oleg-koval/dependabot-lockfile-fixer action
• Configured with write permissions for contents and pull-requests

.github/workflows/dependabot-lockfile-fixer.yml

---

2. readme.md 📝 Documentation +2/-3

Update maintenance notes for lockfile automation

• Removed outdated wording about supporting both master and main branches
• Simplified maintenance notes to clarify stable releases from main and prereleases from beta
• Added note about automatic package-lock.json refresh via dedicated lockfile-fixer workflow

readme.md

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX Issues (0)

1. Write token executes PR code 🐞 Bug ⛨ Security

Description

The new workflow runs on pull_request_target with contents: write, checks out the PR branch, and
then runs an npm-based lockfile fixer, meaning PR-controlled code paths (npm lifecycle scripts) can
execute with a write-scoped GITHUB_TOKEN. This can be abused to perform unintended repository
writes using that token.

Code

.github/workflows/dependabot-lockfile-fixer.yml[R3-45]

+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: dependabot-lockfile-fixer-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  fix-lockfiles:
+    if: >
+      github.actor == 'dependabot[bot]' &&
+      github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24
+
+      - name: Fix lockfiles
+        uses: oleg-koval/dependabot-lockfile-fixer@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          package_manager: npm
+          working_directory: .

Evidence

The workflow is triggered via pull_request_target and grants write permissions, then explicitly
checks out the PR head ref and runs a lockfile fixer configured for npm. The repository’s
package.json defines an npm lifecycle script (prepare) that can run during installs,
demonstrating that running npm as part of lockfile regeneration can execute repository-defined
scripts in the checked-out PR workspace.

.github/workflows/dependabot-lockfile-fixer.yml[3-45]
package.json[59-68]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`pull_request_target` workflows run with elevated permissions. This workflow checks out PR code and then runs an npm-based lockfile regeneration step while holding a write-scoped `GITHUB_TOKEN`, enabling PR-controlled execution paths (npm lifecycle scripts) to run with repository write access.

### Issue Context
You want to safely refresh lockfiles for same-repo Dependabot PRs without allowing PR-controlled code execution to access a write token.

### Fix Focus Areas
- .github/workflows/dependabot-lockfile-fixer.yml[3-45]
- package.json[59-68]

### Suggested remediation options
1) **Prefer `pull_request` over `pull_request_target`** if it still provides sufficient permissions for same-repo Dependabot branches in your repo.

2) If you must keep `pull_request_target`, **avoid running install scripts** during lockfile regeneration by replacing the third-party action with explicit commands that disable scripts, e.g.:
  - `npm ci --ignore-scripts` (or equivalent)
  - `npm install --package-lock-only --ignore-scripts`
  Then commit/push only `package-lock.json`.

3) **Use a tightly-scoped token** (GitHub App token / fine-grained PAT limited to pushing to the Dependabot PR branch) instead of a broadly-privileged default token.

4) **Minimize permissions** to only what is required to push the lockfile commit (typically `contents: write` only).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Action not pinned 🐞 Bug ⛨ Security

Description

The workflow uses oleg-koval/dependabot-lockfile-fixer@v1, which is a mutable tag, while running
with repository write permissions. If that tag is retargeted upstream, arbitrary code would execute
in this repo with contents: write.

Code

.github/workflows/dependabot-lockfile-fixer.yml[R40-43]

+      - name: Fix lockfiles
+        uses: oleg-koval/dependabot-lockfile-fixer@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}

Evidence

The workflow grants write permissions and invokes a third-party action via a major-version tag
(@v1) rather than an immutable commit SHA, creating a supply-chain risk under write-scoped
credentials.

.github/workflows/dependabot-lockfile-fixer.yml[11-13]
.github/workflows/dependabot-lockfile-fixer.yml[40-45]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Using `uses: <owner>/<repo>@v1` is mutable and can change over time. With write permissions, this becomes a supply-chain risk.

### Issue Context
This workflow has `contents: write` and passes `GITHUB_TOKEN` into the action.

### Fix Focus Areas
- .github/workflows/dependabot-lockfile-fixer.yml[11-13]
- .github/workflows/dependabot-lockfile-fixer.yml[40-45]

### How to fix
- Replace `olek-koval/dependabot-lockfile-fixer@v1` with a **pinned commit SHA** (optionally keep the tag in a comment for readability), e.g.:
 - `uses: oleg-koval/dependabot-lockfile-fixer@<full_sha>`
- (Optional) Add a periodic dependency update process for action SHAs so upgrades are intentional and reviewed.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. README release branches wrong 🐞 Bug ⚙ Maintainability

Description

README now says stable releases publish from main only, but the repo’s release configuration and
documentation still define both master and main as stable release branches. This inconsistency
will mislead maintainers about actual release behavior during the branch migration window.

Code

readme.md[R118-120]

- Consumer-facing examples now use `main`.
-- Repository automation currently supports both `master` and `main` so maintenance is not blocked before the branch rename.
-- Repository automation also supports `beta` for prerelease validation and publishing.
-- Renaming this repository's default branch to `main` is still recommended to align hosted defaults, badges, and examples.
+- Repository automation publishes stable releases from `main` and prereleases from `beta`.
+- Dependabot PRs can auto-refresh `package-lock.json` through the dedicated lockfile-fixer workflow.

Evidence

README claims stable releases from main, but release.repo.config.js, tests, and docs explicitly
include both master and main as stable branches, and the publish workflow still triggers on
pushes to master as well.

readme.md[116-121]
release.repo.config.js[1-10]
docs/release-channels.md[1-8]
test/release-config.test.js[47-53]
.github/workflows/release.yml[3-9]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
README states stable releases come from `main`, but repo configuration still treats both `master` and `main` as stable release branches.

### Issue Context
This repo appears to be in a migration window where both branches are supported.

### Fix Focus Areas
- readme.md[116-121]
- release.repo.config.js[1-10]
- docs/release-channels.md[1-8]
- test/release-config.test.js[47-53]
- .github/workflows/release.yml[3-9]

### How to fix
Choose one:
1) **If you still support `master`**: update README maintenance note to say stable releases publish from **both `master` and `main`** (and keep `beta` for prereleases).

2) **If `master` support is removed**: update the actual automation/config to match the README by removing `master` from:
  - `.github/workflows/release.yml` branch triggers
  - `release.repo.config.js` branches
  - docs/tests that assert `master` is stable.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[github-actions]

🎉 This PR is included in version 1.7.1 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[qodo-code-review]

1. Write token executes pr code 🐞 Bug ⛨ Security

The new workflow runs on pull_request_target with contents: write, checks out the PR branch, and
then runs an npm-based lockfile fixer, meaning PR-controlled code paths (npm lifecycle scripts) can
execute with a write-scoped GITHUB_TOKEN. This can be abused to perform unintended repository
writes using that token.

Agent Prompt

### Issue description
`pull_request_target` workflows run with elevated permissions. This workflow checks out PR code and then runs an npm-based lockfile regeneration step while holding a write-scoped `GITHUB_TOKEN`, enabling PR-controlled execution paths (npm lifecycle scripts) to run with repository write access.

### Issue Context
You want to safely refresh lockfiles for same-repo Dependabot PRs without allowing PR-controlled code execution to access a write token.

### Fix Focus Areas
- .github/workflows/dependabot-lockfile-fixer.yml[3-45]
- package.json[59-68]

### Suggested remediation options
1) **Prefer `pull_request` over `pull_request_target`** if it still provides sufficient permissions for same-repo Dependabot branches in your repo.

2) If you must keep `pull_request_target`, **avoid running install scripts** during lockfile regeneration by replacing the third-party action with explicit commands that disable scripts, e.g.:
   - `npm ci --ignore-scripts` (or equivalent)
   - `npm install --package-lock-only --ignore-scripts`
   Then commit/push only `package-lock.json`.

3) **Use a tightly-scoped token** (GitHub App token / fine-grained PAT limited to pushing to the Dependabot PR branch) instead of a broadly-privileged default token.

4) **Minimize permissions** to only what is required to push the lockfile commit (typically `contents: write` only).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

2. Action not pinned 🐞 Bug ⛨ Security

The workflow uses oleg-koval/dependabot-lockfile-fixer@v1, which is a mutable tag, while running
with repository write permissions. If that tag is retargeted upstream, arbitrary code would execute
in this repo with contents: write.

Agent Prompt

### Issue description
Using `uses: <owner>/<repo>@v1` is mutable and can change over time. With write permissions, this becomes a supply-chain risk.

### Issue Context
This workflow has `contents: write` and passes `GITHUB_TOKEN` into the action.

### Fix Focus Areas
- .github/workflows/dependabot-lockfile-fixer.yml[11-13]
- .github/workflows/dependabot-lockfile-fixer.yml[40-45]

### How to fix
- Replace `olek-koval/dependabot-lockfile-fixer@v1` with a **pinned commit SHA** (optionally keep the tag in a comment for readability), e.g.:
  - `uses: oleg-koval/dependabot-lockfile-fixer@<full_sha>`
- (Optional) Add a periodic dependency update process for action SHAs so upgrades are intentional and reviewed.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools