fix: replace npm dependency with bash regex in PR title linting#1375
Merged
tejassp-db merged 1 commit intomainfrom Mar 30, 2026
Merged
fix: replace npm dependency with bash regex in PR title linting#1375tejassp-db merged 1 commit intomainfrom
tejassp-db merged 1 commit intomainfrom
Conversation
Remove conventional-commits-parser npm dependency and replace with a bash regex that validates the same conventional commits format. This eliminates Node.js, npm, and all transitive npm dependencies from the CI pipeline, removing the supply chain risk of uncontrolled transitive dependency resolution at install time. Removes: actions/checkout, actions/setup-node, npm install Keeps: sticky PR comment on failure/success (unchanged) The bash regex is slightly stricter than the original parser: requires at least one letter for type and at least one character for description. Co-authored-by: Isaac
jprakash-db
approved these changes
Mar 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace the
conventional-commits-parsernpm package inci-pr-linting.ymlwith a pure bash regex, eliminating the entire Node.js/npm supply chain from the CI pipeline.Why
The workflow installed
conventional-commits-parser@6.3.0vianpm install --globalat CI time. While the direct package was version-pinned, its transitive npm dependencies use semver ranges and are resolved fresh on every CI run. This means a compromised transitive dependency (e.g., via a supply chain worm like CanisterWorm) could be silently pulled into CI without any lock file to prevent it.The parser was used only to check whether a
typefield exists in the PR title — no other parsed fields (scope, subject, body, footer) were used. This makes the entire Node.js toolchain (actions/checkout, actions/setup-node, npm install, conventional-commits-parser, jq) replaceable with a single bash regex.What changed
File:
.github/workflows/ci-pr-linting.ymlRemoved (3 steps + 1 action):
actions/checkout— not needed since no repo code is referencedactions/setup-node— no longer need Node.jsnpm install --global conventional-commits-parser@6.3.0— the dependency being eliminatedModified (1 step):
[[ =~ ]]regex matchKept unchanged (2 steps):
Regex equivalence
Original parser regex:
^(\w*)!?(?:\(([\w\$\.\-\* ]*)\))?\: (.*)$Replacement bash regex:
^[a-zA-Z]+!?(\([^)]*\))?\: .+(\w*)zero or more[a-zA-Z]+one or more letters!!?!?(?:\(([\w\$\.\-\* ]*)\))?(\([^)]*\))?\:\:(.*)$zero or more.+one or more:Net effect: the replacement is slightly stricter in two beneficial ways.
Supply chain impact
Validation
if: failure()/if: success()on job status)Test plan
JIRA: PECOBLR-2368
This pull request was AI-assisted by Isaac.