security(npm): harden npm and update project deps

.cve-lite/baseline.json

@@ -5,9 +5,7 @@
     {
       "name": "js-yaml",
       "version": "3.14.2",
-      "advisoryIds": [
-        "GHSA-h67p-54hq-rp68"
-      ]
+      "advisoryIds": ["GHSA-h67p-54hq-rp68"]
     }
   ]
 }

.github/ISSUE_TEMPLATE/bug_report.md

@@ -4,7 +4,6 @@ about: Report a bug or incorrect behavior in CVE Lite CLI
 title: "[Bug] "
 labels: bug
 assignees: ""
-
 ---
 
 ## Summary

.github/ISSUE_TEMPLATE/feature_request.md

@@ -4,7 +4,6 @@ about: Suggest an improvement for CVE Lite CLI
 title: "[Feature] "
 labels: enhancement
 assignees: ""
-
 ---
 
 ## Problem
@@ -18,6 +17,7 @@ Describe the feature or improvement.
 ## Why it fits this project
 
 Explain why this aligns with CVE Lite CLI's goals:
+
 - practical developer usability
 - clear remediation guidance
 - JS/TS dependency scanning

.github/pull_request_template.md

@@ -8,9 +8,9 @@ Explain the problem being solved.
 
 ## What changed
 
-- 
-- 
-- 
+-
+-
+-
 
 ## Validation
 

.github/workflows/ci.yml

@@ -5,7 +5,6 @@ on:
     branches: [main]
   pull_request:
 
-
 permissions:
   contents: read
 
@@ -15,17 +14,20 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3        uses: actions/checkout@v6
 
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0        uses: actions/setup-node@v6
         with:
           node-version: 20
           cache: npm
 
       - name: Install dependencies
         run: npm ci
 
+      - name: Rebuild native dependencies
+        run: npm rebuild better-sqlite3 --ignore-scripts=false
+
       - name: Test
         run: npm test
 

.github/workflows/codeql.yml

@@ -23,15 +23,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3        uses: actions/checkout@v6
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2        uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2        uses: github/codeql-action/analyze@v4

.github/workflows/docs-site.yml

@@ -30,10 +30,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3        uses: actions/checkout@v6
 
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0        uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: npm
@@ -49,7 +49,7 @@ jobs:
 
       - name: Upload Pages artifact
         if: github.event_name == 'push'
-        uses: actions/upload-pages-artifact@v5
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0        uses: actions/upload-pages-artifact@v5
         with:
           path: website/build
 
@@ -77,4 +77,4 @@ jobs:
     steps:
       - name: Deploy
         id: deployment
-        uses: actions/deploy-pages@v5
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0        uses: actions/deploy-pages@v5

.github/workflows/release.yml

@@ -15,19 +15,22 @@ jobs:
 
     steps:
       - name: Checkout at release tag
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3        uses: actions/checkout@v6
         with:
           ref: ${{ github.event.release.tag_name }}
 
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0        uses: actions/setup-node@v6
         with:
           node-version: 20
           cache: npm
 
       - name: Install dependencies
         run: npm ci
 
+      - name: Rebuild native dependencies
+        run: npm rebuild better-sqlite3 --ignore-scripts=false
+
       - name: Test
         run: npm test
 
@@ -38,9 +41,9 @@ jobs:
         run: npm pack
 
       - name: Attest build provenance
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0        uses: actions/attest-build-provenance@v2
         with:
-          subject-path: 'cve-lite-cli-*.tgz'
+          subject-path: "cve-lite-cli-*.tgz"
 
       - name: Upload tarball to release
         env:

.github/workflows/self-scan.yml

@@ -11,17 +11,20 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3        uses: actions/checkout@v6
 
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0        uses: actions/setup-node@v6
         with:
           node-version: 20
           cache: npm
 
       - name: Install dependencies
         run: npm ci
 
+      - name: Rebuild native dependencies
+        run: npm rebuild better-sqlite3 --ignore-scripts=false
+
       - name: Build
         run: npm run build
 
@@ -35,17 +38,17 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3        uses: actions/checkout@v6
 
       - name: Run CVE Lite CLI GitHub Action against this repo
-        uses: OWASP/cve-lite-cli@v1
+        uses: OWASP/cve-lite-cli@97546a6e88f381bc77233dda58c5fdef375c312d # v1.24.0        uses: OWASP/cve-lite-cli@v1
         with:
           verbose: "true"
           fail-on: high
           sarif: "true"
 
       - name: Upload SARIF to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: ${{ github.workspace }}

.npmrc

@@ -0,0 +1,11 @@
+# npm security best practices
+# Source: https://github.com/lirantal/npm-security-best-practices
+
+# SECURITY: do not run any lifecycle scripts (postinstall) etc
+ignore-scripts=true
+
+# SECURITY: reject git-source dependencies (git+ssh:// etc)
+allow-git=none
+
+# SECURITY: block packages newer than 5 days
+min-release-age=5

.trunk/.gitignore

@@ -0,0 +1,9 @@
+*out
+*logs
+*actions
+*notifications
+*tools
+plugins
+user_trunk.yaml
+user.yaml
+tmp

.trunk/configs/.markdownlint.yaml

@@ -0,0 +1,2 @@
+# Prettier friendly markdownlint config (all formatting rules disabled)
+extends: markdownlint/style/prettier

.trunk/configs/.yamllint.yaml

@@ -0,0 +1,7 @@
+rules:
+  quoted-strings:
+    required: only-when-needed
+    extra-allowed: ["{|}"]
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true

.trunk/configs/svgo.config.mjs

@@ -0,0 +1,14 @@
+export default {
+  plugins: [
+    {
+      name: "preset-default",
+      params: {
+        overrides: {
+          removeViewBox: false, // https://github.com/svg/svgo/issues/1128
+          sortAttrs: true,
+          removeOffCanvasPaths: true,
+        },
+      },
+    },
+  ],
+};

.trunk/trunk.yaml

@@ -0,0 +1,37 @@
+# This file controls the behavior of Trunk: https://docs.trunk.io/cli
+# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
+version: 0.1
+cli:
+  version: 1.25.0
+# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
+plugins:
+  sources:
+    - id: trunk
+      ref: v1.10.2
+      uri: https://github.com/trunk-io/plugins
+# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
+runtimes:
+  enabled:
+    - node@22.16.0
+    - python@3.14.4
+# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
+lint:
+  enabled:
+    - actionlint@1.7.12
+    - checkov@3.3.1
+    - git-diff-check
+    - grype@0.114.0
+    - markdownlint@0.49.0
+    - osv-scanner@2.4.0
+    - oxipng@10.1.1
+    - pinact@4.1.0
+    - prettier@3.8.4
+    - svgo@4.0.1
+    - trufflehog@3.95.6
+    - yamllint@1.38.0
+actions:
+  enabled:
+    - trunk-announce
+    - trunk-check-pre-push
+    - trunk-fmt-pre-commit
+    - trunk-upgrade-available