Deferred (pre-existing) finding from the PR #161 code review — not introduced by #161. Two supply-chain / drift-hardening items surfaced by the dependencies reviewer. (The related WASM-toolchain-pin item is already tracked in #128 — see below.)
(a) SHA-pin GitHub Actions
CI workflows reference actions by floating major tags (@v6, @v5, @v2, @stable) rather than pinned commit SHAs — standard supply-chain exposure. Pin third-party actions to commit SHAs.
(b) Assert lockfile version in the version gate
scripts/verify-versions.mjs does not assert the package-lock.json version. This is why a 0.2.0 lockfile drift reached main unnoticed (repaired in #161). Add a lockfile-version assertion to the gate so a stale lockfile fails fast.
Related (tracked elsewhere — not duplicated here)
Deferred (pre-existing) finding from the PR #161 code review — not introduced by #161. Two supply-chain / drift-hardening items surfaced by the dependencies reviewer. (The related WASM-toolchain-pin item is already tracked in #128 — see below.)
(a) SHA-pin GitHub Actions
CI workflows reference actions by floating major tags (
@v6,@v5,@v2,@stable) rather than pinned commit SHAs — standard supply-chain exposure. Pin third-party actions to commit SHAs.(b) Assert lockfile version in the version gate
scripts/verify-versions.mjsdoes not assert thepackage-lock.jsonversion. This is why a0.2.0lockfile drift reachedmainunnoticed (repaired in #161). Add a lockfile-version assertion to the gate so a stale lockfile fails fast.Related (tracked elsewhere — not duplicated here)
dtolnay/rust-toolchain@stablebeing unpinned is the root cause of the recurring WASM soft-bloat guard raises (600K→650K→700K). Tracked in ci(wasm): pin wasm build toolchain for deterministic size; re-tighten size budget #128 (pin wasm toolchain + re-tighten size budget).