Skip to content

Pin exact versions for all npm dependencies#11932

Draft
desrosj wants to merge 5 commits into
WordPress:trunkfrom
desrosj:pin-specific-versions-of-npm-packages
Draft

Pin exact versions for all npm dependencies#11932
desrosj wants to merge 5 commits into
WordPress:trunkfrom
desrosj:pin-specific-versions-of-npm-packages

Conversation

@desrosj
Copy link
Copy Markdown
Member

@desrosj desrosj commented May 22, 2026
edited
Loading

This attempts to pin versions of npm and Composer dependencies to ensure every update to a dependency (both direct and transitive) is intentional.

This helps to guard against supply chain attacks where a vulnerable package may be installed unintentionally and unknowingly.

Reintroduce composer.lock file

Removing version ranges in favor of explicitly pinning specific versions is straightforward and does not result in any meaningful change today provided a lock file is present. However, lock file generation for Composer has been disabled in this repository since WP 6.7 (see Core-61530/r59082).

This PR proposes re-enabling lock file generation and committing the composer.lock file to version control ensuring that composer install does not install untested and unverified versions of dependencies.

Trac ticket:

Notes

  • This PR currently does not update old reusable PHPUnit test workflows. Old branches should be evaluated separately as a lock file may need to be introduced for each branch.

Use of AI Tools

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

@desrosj desrosj self-assigned this May 22, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 22, 2026

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

@desrosj desrosj force-pushed the pin-specific-versions-of-npm-packages branch from 7b62c73 to 5b4e1b6 Compare May 22, 2026 19:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@desrosj desrosj

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@desrosj