Supply chain hardening for npm and actions

.github/dependabot.yaml

@@ -20,6 +20,12 @@ updates:
       ## Ignore all updates for 'zod' as our 'zod' version must match the
       ## version of 'zod' used by the '@modelcontextprotocol/sdk' dependency.
       - dependency-name: 'zod'
+      ## Ignore all updates for '@types/vscode' as its version tracks VS Code
+      ## minor releases and any bump would expose APIs newer than the floor
+      ## declared by 'engines.vscode' in 'extensions/vscode/package.json'.
+      ## Bump this manually together with 'engines.vscode' when raising the
+      ## minimum supported VS Code version.
+      - dependency-name: '@types/vscode'
     versioning-strategy: 'increase'
     groups:
       all-npm-dependencies:

.github/skills/add-mcp-support-for-new-language/SKILL.md

@@ -273,7 +273,6 @@ on:
     branches: ['main']
     paths:
       # Same as above
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -284,12 +283,12 @@ jobs:
     runs-on: {os}-latest  # e.g., macos-latest, windows-latest
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           cache: 'npm'
           node-version-file: '.node-version'
-      - run: npm ci --workspaces
+      - run: npm ci --workspaces --ignore-scripts
       - uses: ./.github/actions/setup-codeql-environment
         with:
           install-language-runtimes: false

.github/skills/add-mcp-support-for-new-language/workflow-template.yml

@@ -28,7 +28,6 @@ on:
       - 'server/scripts/extract-test-databases.sh'
       - 'server/scripts/install-packs.sh'
       - 'server/scripts/run-query-unit-tests.sh'
-  workflow_dispatch:
 
 # Prevent duplicate runs from push + PR on the same branch
 concurrency:

.github/workflows/build-and-test-extension.yml

@@ -19,7 +19,6 @@ on:
       - 'server/dist/**'
       - 'server/ql/*/tools/src/**'
       - 'server/src/**'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -40,7 +39,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Install dependencies
-        run: npm ci --include=optional
+        run: npm ci --include=optional --ignore-scripts
 
       - name: Build server (dependency)
         run: npm run build -w server

.github/workflows/build-server.yml

@@ -13,7 +13,6 @@ on:
       - '.github/workflows/build-server.yml'
       - '.node-version'
       - 'server/**'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -38,7 +37,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Build Server - Install dependencies
-        run: npm ci --include=optional
+        run: npm ci --include=optional --ignore-scripts
         working-directory: .
 
       - name: Build Server - Clean previous build

.github/workflows/client-integration-tests.yml

@@ -19,7 +19,6 @@ on:
       - '.node-version'
       - 'client/**'
       - 'server/**'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -61,7 +60,7 @@ jobs:
         run: choco install jq -y
 
       - name: MCP Integration Tests - Install node dependencies for client and server workspaces
-        run: npm ci --workspace=client && npm ci --workspace=server
+        run: npm ci --workspace=client --ignore-scripts && npm ci --workspace=server --ignore-scripts
 
       - name: MCP Integration Tests - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment
@@ -168,7 +167,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: CODEQL_PATH Tests - Install server dependencies
-        run: npm ci --workspace=server
+        run: npm ci --workspace=server --ignore-scripts
 
       - name: CODEQL_PATH Tests - Build server bundle
         run: npm run bundle -w server

.github/workflows/copilot-setup-steps.yml

@@ -1,31 +1,26 @@
 name: 'Copilot Setup Steps'
 
 on:
-  # Allow manual testing through the repository's "Actions" tab
-  workflow_dispatch: {}
-  # Automatically run the setup steps when an associated workflow is changed.
   push:
     paths:
       - '.codeql-version'
+      - '.github/actions/setup-codeql-environment/action.yml'
       - '.github/workflows/copilot-setup-steps.yml'
       - '.node-version'
-      - '.github/actions/setup-codeql-environment/action.yml'
       - '**/codeql-pack.yml'
       - '**/codeql-pack.lock.yml'
       - '**/package.json'
       - '**/package-lock.json'
-      - '**/qlpack.yml'
   pull_request:
     paths:
       - '.codeql-version'
+      - '.github/actions/setup-codeql-environment/action.yml'
       - '.github/workflows/copilot-setup-steps.yml'
       - '.node-version'
-      - '.github/actions/setup-codeql-environment/action.yml'
       - '**/codeql-pack.yml'
       - '**/codeql-pack.lock.yml'
       - '**/package.json'
       - '**/package-lock.json'
-      - '**/qlpack.yml'
 
 jobs:
   # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
@@ -51,7 +46,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Copilot Setup - Install dependencies
-        run: npm ci --include=optional
+        run: npm ci --include=optional --ignore-scripts
 
       - name: Copilot Setup - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment

.github/workflows/lint-and-format.yml

@@ -5,7 +5,6 @@ on:
     branches: ['main', 'next']
   push:
     branches: ['main', 'next']
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -26,7 +25,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Lint and Format - Install node dependencies for all workspaces
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Lint and Format - Run eslint
         run: npm run lint

.github/workflows/query-unit-tests-swift.yml

@@ -21,7 +21,6 @@ on:
       - 'server/ql/swift/**'
       - 'server/scripts/install-packs.sh'
       - 'server/scripts/run-query-unit-tests.sh'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -42,7 +41,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Query Unit Tests - swift - Install node dependencies for all workspaces
-        run: npm ci --workspaces
+        run: npm ci --workspaces --ignore-scripts
 
       - name: Query Unit Tests - swift - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment

.github/workflows/query-unit-tests.yml

@@ -29,7 +29,6 @@ on:
       - 'server/ql/**'
       - 'server/scripts/install-packs.sh'
       - 'server/scripts/run-query-unit-tests.sh'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -58,7 +57,7 @@ jobs:
         run: sudo apt-get install -y jq
 
       - name: Query Unit Tests - ${{ matrix.language }} - Install node dependencies for all workspaces
-        run: npm ci --workspaces
+        run: npm ci --workspaces --ignore-scripts
 
       - name: Query Unit Tests - ${{ matrix.language }} - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment

.github/workflows/release-npm.yml

@@ -66,7 +66,7 @@ jobs:
           registry-url: 'https://registry.npmjs.org'
 
       - name: npm - Install dependencies
-        run: npm ci --include=optional
+        run: npm ci --include=optional --ignore-scripts
 
       - name: npm - Build server
         run: npm run build -w server

.github/workflows/release-tag.yml

@@ -112,7 +112,7 @@ jobs:
 
       - name: Tag - Install dependencies
         if: steps.check-tag.outputs.tag_exists != 'true'
-        run: npm install --include=optional
+        run: npm install --include=optional --ignore-scripts
 
       - name: Tag - Install CodeQL pack dependencies
         if: steps.check-tag.outputs.tag_exists != 'true'

.github/workflows/release-vsix.yml

@@ -66,7 +66,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: VSIX - Install dependencies
-        run: npm ci --include=optional
+        run: npm ci --include=optional --ignore-scripts
 
       - name: VSIX - Validate version consistency
         run: |

.github/workflows/release.yml

@@ -225,7 +225,7 @@ jobs:
 
       - name: Release - Install production dependencies
         working-directory: dist-package/server
-        run: npm install --omit=dev --include=optional
+        run: npm install --omit=dev --include=optional --ignore-scripts
 
       - name: Release - Create archive
         run: |

.github/workflows/update-codeql.yml

@@ -145,7 +145,7 @@ jobs:
           ./server/scripts/update-release-version.sh "${LATEST}"
 
       - name: Update - Install dependencies
-        run: npm install --include=optional
+        run: npm install --include=optional --ignore-scripts
 
       - name: Update - Upgrade CodeQL pack dependencies
         run: server/scripts/upgrade-packs.sh

.npmrc

@@ -1 +1,2 @@
 engine-strict=true
+ignore-scripts=true

extensions/vscode/package.json

@@ -163,20 +163,21 @@
   },
   "scripts": {
     "build": "npm run clean && npm run lint && npm run bundle",
-    "bundle": "node esbuild.config.js",
+    "bundle": "npm run rebuild:esbuild && node esbuild.config.js",
     "bundle:server": "node scripts/bundle-server.js",
     "clean": "rm -rf dist server .vscode-test/* *.vsix",
     "download:vscode": "node scripts/download-vscode.js",
     "lint": "eslint src/ test/",
     "lint:fix": "eslint src/ test/ --fix",
     "package": "vsce package --no-dependencies --out codeql-development-mcp-server-v$(node -e 'process.stdout.write(require(`./package.json`).version)').vsix",
+    "rebuild:esbuild": "npm rebuild esbuild --ignore-scripts=false",
     "test": "npm run test:coverage && npm run test:integration",
     "test:coverage": "vitest --run --coverage",
     "test:integration": "npm run download:vscode && vscode-test",
     "test:integration:label": "vscode-test --label",
     "test:watch": "vitest --watch",
     "vscode:prepublish": "npm run clean && npm run lint && npm run bundle && npm run bundle:server",
-    "watch": "node esbuild.config.js --watch"
+    "watch": "npm run rebuild:esbuild && node esbuild.config.js --watch"
   },
   "devDependencies": {
     "@eslint/js": "^10.0.1",

package.json

@@ -54,7 +54,7 @@
     "tidy": "npm run lint:fix && npm run format && npm run lint:md",
     "tidy:check": "npm run lint && npm run format:check",
     "upgrade": "npm run upgrade:node",
-    "upgrade:node": "npx -y npm-check-updates --color --install always --peer --reject zod --root --upgrade --workspaces"
+    "upgrade:node": "npx -y npm-check-updates --color --install always --peer --reject zod,@types/vscode --root --upgrade --workspaces"
   },
   "workspaces": [
     "client",

server/package.json

@@ -85,7 +85,8 @@
   "scripts": {
     "build": "npm run clean && npm run lint && npm run bundle",
     "build:all": "npm run build && npm run test:ql:fail-fast",
-    "bundle": "node esbuild.config.js",
+    "bundle": "npm run rebuild:esbuild && node esbuild.config.js",
+    "rebuild:esbuild": "npm rebuild esbuild --ignore-scripts=false",
     "clean": "rm -rf dist .tmp",
     "dev:stdio": "npm run build && TRANSPORT_MODE=stdio node dist/codeql-development-mcp-server.js",
     "dev:http": "npm run build && TRANSPORT_MODE=http node dist/codeql-development-mcp-server.js",