Merge remote-tracking branch 'origin/main' into pr/5950

Author: NathanWalker

.github/workflows/codeql-advanced.yml

@@ -70,7 +70,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+      uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -98,6 +98,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+      uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -19,4 +19,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.3.0
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
+        uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803 # v4.8.3

.github/workflows/npm_release_cli.yml

@@ -10,6 +10,8 @@ on:
       - 'packages/**'
   workflow_dispatch:
 
+permissions: read-all
+
 env:
   NPM_TAG: 'next'
 
@@ -23,7 +25,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
         with:
           egress-policy: audit
 
@@ -62,7 +64,7 @@ jobs:
         run: npm pack
 
       - name: Upload npm package artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: npm-package
           path: nativescript-${{steps.npm_version_output.outputs.NPM_VERSION}}.tgz
@@ -80,7 +82,7 @@ jobs:
       NPM_TAG: ${{needs.build.outputs.npm_tag}}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
         with:
           egress-policy: audit
 
@@ -89,7 +91,7 @@ jobs:
           node-version: 22.14.0
           registry-url: "https://registry.npmjs.org"
 
-      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         with:
           name: npm-package
           path: dist
@@ -131,7 +133,7 @@ jobs:
       NPM_VERSION: ${{needs.build.outputs.npm_version}}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
         with:
           egress-policy: audit
 
@@ -146,17 +148,28 @@ jobs:
       - name: Setup
         run: npm i --ignore-scripts --legacy-peer-deps --no-package-lock
 
-      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         with:
           name: npm-package
           path: dist
 
+      - name: Generate provenance statement
+        run: |
+          TGZ_PATH=$(ls dist/nativescript-*.tgz | head -n1)
+          TGZ_NAME=$(basename "$TGZ_PATH")
+          TGZ_SHA=$(sha256sum "$TGZ_PATH" | awk '{ print $1 }')
+          PROV_PATH="dist/${TGZ_NAME%.tgz}.intoto.jsonl"
+
+          cat > "$PROV_PATH" <<EOF
+          {"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"$TGZ_NAME","digest":{"sha256":"$TGZ_SHA"}}],"predicateType":"https://slsa.dev/provenance/v1"}
+          EOF
+
       - name: Partial Changelog
         run: npx conventional-changelog -p angular -r2 > body.md
 
       - uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
         with:
-          artifacts: "dist/nativescript-*.tgz"
+          artifacts: "dist/nativescript-*.tgz,dist/nativescript-*.intoto.jsonl"
           bodyFile: "body.md"
           prerelease: ${{needs.build.outputs.npm_tag != 'latest'}}
           allowUpdates: true

.github/workflows/npm_release_doctor.yml

@@ -24,7 +24,7 @@ jobs:
     steps:
 
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
         with:
           egress-policy: audit
 

.github/workflows/scorecard.yml

@@ -46,7 +46,7 @@ jobs:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecards on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers
@@ -60,14 +60,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         with:
           sarif_file: results.sarif

CHANGELOG.md

@@ -1,3 +1,34 @@
+## [9.0.5](https://github.com/NativeScript/nativescript-cli/compare/v9.0.4...v9.0.5) (2026-03-06)
+
+
+### Security
+
+* CWE-1333, CWE-78 ([#5976](https://github.com/NativeScript/nativescript-cli/issues/5976)) ([3942566](https://github.com/NativeScript/nativescript-cli/commit/3942566f78d2d21fccae2ec6f313f29cec92ea11))
+
+
+
+## [9.0.4](https://github.com/NativeScript/nativescript-cli/compare/v9.0.3...v9.0.4) (2026-02-27)
+
+
+### Bug Fixes
+
+* file watcher with chokidar ([#5973](https://github.com/NativeScript/nativescript-cli/issues/5973)) ([92ec091](https://github.com/NativeScript/nativescript-cli/commit/92ec091d54d4621e0685ea119527f02111f72056))
+* **security:** CVE-2025-13465, CVE-2026-27904, CVE-2026-26996, CVE-2025-59433 ([#5974](https://github.com/NativeScript/nativescript-cli/issues/5974)) ([c4064c9](https://github.com/NativeScript/nativescript-cli/commit/c4064c9d52bbc2b7faff35e2bea8d109b1c170be))
+* visionos overrides for build flags ([#5967](https://github.com/NativeScript/nativescript-cli/issues/5967)) ([895ceb8](https://github.com/NativeScript/nativescript-cli/commit/895ceb8567ee139147643c43760487d46882f717))
+* **widget:** handle configs with other SPMPackages ([#5972](https://github.com/NativeScript/nativescript-cli/issues/5972)) ([03ff1dc](https://github.com/NativeScript/nativescript-cli/commit/03ff1dcaf98b917cbd65c6739871a7be7a224c4b))
+
+
+## [9.0.3](https://github.com/NativeScript/nativescript-cli/compare/v9.0.2...v9.0.3) (2026-02-01)
+
+
+### Bug Fixes
+
+* allow app spm to "override" plugin spm packages ([#5951](https://github.com/NativeScript/nativescript-cli/issues/5951)) ([33d44b5](https://github.com/NativeScript/nativescript-cli/commit/33d44b58af3f267168544b3f80719d4a1c607672))
+* **vite:** incremental build file changes ([#5952](https://github.com/NativeScript/nativescript-cli/issues/5952)) ([9013634](https://github.com/NativeScript/nativescript-cli/commit/90136342348e9009d9f71ddab99c05a3d9e86775))
+* **workspaces:** duplicate added frameworks ([#5949](https://github.com/NativeScript/nativescript-cli/issues/5949)) ([768a97c](https://github.com/NativeScript/nativescript-cli/commit/768a97cafeefc414a56697d1a4550115cb9cfc51))
+
+
+
 ## [9.0.2](https://github.com/NativeScript/nativescript-cli/compare/v9.0.1...v9.0.2) (2026-01-04)
 
 

README.md

@@ -44,6 +44,12 @@ Get it using: `npm install -g nativescript`
 - [Extending the CLI](#extending-the-cli)
 - [Troubleshooting](#troubleshooting)
 - [How to Contribute](#how-to-contribute)
+- [Scorecard Maintenance](#scorecard-maintenance)
+    - [1) Branch-Protection check (`?`) in Scorecard workflow](#1-branch-protection-check--in-scorecard-workflow)
+    - [2) Required branch/ruleset settings for higher Branch-Protection and Code-Review](#2-required-branchruleset-settings-for-higher-branch-protection-and-code-review)
+    - [3) Keep Token-Permissions high](#3-keep-token-permissions-high)
+    - [4) Signed-Releases check](#4-signed-releases-check)
+    - [5) Vulnerabilities check](#5-vulnerabilities-check)
 - [How to Build](#how-to-build)
 - [Get Help](#get-help)
 - [License](#license)
@@ -344,6 +350,49 @@ To learn how to contribute to the code base, click [here](https://github.com/Nat
 
 [Back to Top][1]
 
+Scorecard Maintenance
+===
+
+This repository tracks OpenSSF Scorecard. Use this checklist when score drops or checks become inconclusive.
+
+### 1) Branch-Protection check (`?`) in Scorecard workflow
+
+- Ensure `.github/workflows/scorecard.yml` uses `repo_token: ${{ secrets.SCORECARD_TOKEN }}`.
+- Set `SCORECARD_TOKEN` as a repository Actions secret.
+- If using a fine-grained PAT, set expiration to **366 days or less** (NativeScript org policy).
+- If Branch-Protection still reports token incompatibility, use a PAT type compatible with Scorecard's Branch-Protection query path.
+
+### 2) Required branch/ruleset settings for higher Branch-Protection and Code-Review
+
+Apply to `main` and release branches:
+
+- Prevent force push and prevent branch deletion.
+- Require pull request before merge.
+- Require status checks to pass before merge.
+- Require at least 2 approvals.
+- Require code owner review.
+- Dismiss stale approvals when new commits are pushed.
+- Include administrators.
+
+### 3) Keep Token-Permissions high
+
+- Set top-level workflow permissions to read-only (for example `permissions: read-all`).
+- Grant write permissions only at job level and only when needed (for example publish/release jobs).
+- Keep GitHub Actions pinned to full commit SHAs.
+
+### 4) Signed-Releases check
+
+- Publish release assets with provenance/signature files.
+- Keep release workflow attaching `*.intoto.jsonl` artifacts alongside release bundles.
+
+### 5) Vulnerabilities check
+
+- Keep runtime dependency vulnerabilities near zero.
+- Run `npm audit --omit=dev` before release PRs.
+- Update vulnerable dependencies quickly; for non-applicable findings, document and track mitigation clearly.
+
+[Back to Top][1]
+
 How to Build
 ===
 ```

lib/commands/widget.ts

@@ -8,7 +8,6 @@ import * as plist from "plist";
 import { injector } from "../common/yok";
 import { capitalizeFirstLetter } from "../common/utils";
 import { EOL } from "os";
-import { SupportedConfigValues } from "../tools/config-manipulation/config-transformer";
 
 export class WidgetCommand implements ICommand {
 	public allowedParameters: ICommandParameter[] = [];
@@ -219,10 +218,7 @@ public struct ${capitalizeFirstLetter(name)}Model: ActivityAttributes {
 			}
 
 			configData.ios.SPMPackages = spmPackages;
-			await this.$projectConfigService.setValue(
-				"", // root
-				configData as { [key: string]: SupportedConfigValues },
-			);
+			await this.$projectConfigService.setValue("ios.SPMPackages", spmPackages);
 
 			if (fs.existsSync(gitIgnorePath)) {
 				const gitIgnore = fs.readFileSync(gitIgnorePath, {

lib/common/file-system.ts

@@ -18,7 +18,7 @@ import { EOL } from "os";
 import * as detectNewline from "detect-newline";
 import { IFileSystem, IReadFileOptions, IFsStats } from "./declarations";
 import { IInjector } from "./definitions/yok";
-import { create as createArchiver } from "archiver";
+import * as yazl from "yazl";
 
 // TODO: Add .d.ts for mkdirp module (or use it from @types repo).
 const mkdirp = require("mkdirp");
@@ -37,28 +37,24 @@ export class FileSystem implements IFileSystem {
 	): Promise<void> {
 		//we are resolving it here instead of in the constructor, because config has dependency on file system and config shouldn't require logger
 		const $logger = this.$injector.resolve("logger");
-		const zip = createArchiver("zip", {
-			zlib: {
-				level: 9,
-			},
-		});
+		const zip = new yazl.ZipFile();
 		const outFile = fs.createWriteStream(zipFile);
-		zip.pipe(outFile);
+
+		for (const file of files) {
+			let relativePath = zipPathCallback(file);
+			relativePath = relativePath.replace(/\\/g, "/");
+			$logger.trace("zipping as '%s' file '%s'", relativePath, file);
+			zip.addFile(file, relativePath, { compress: true });
+		}
+		zip.end();
 
 		return new Promise<void>((resolve, reject) => {
 			outFile.on("error", (err: Error) => reject(err));
+			zip.outputStream.on("error", (err: Error) => reject(err));
+			zip.outputStream.pipe(outFile);
 			outFile.on("close", () => {
-				$logger.trace("zip: %d bytes written", zip.pointer());
 				resolve();
 			});
-
-			for (const file of files) {
-				let relativePath = zipPathCallback(file);
-				relativePath = relativePath.replace(/\\/g, "/");
-				$logger.trace("zipping as '%s' file '%s'", relativePath, file);
-				zip.append(fs.createReadStream(file), { name: relativePath });
-			}
-			zip.finalize();
 		});
 	}