From 032eb880d9c8ab33ccf078a12c2faafb6f121d69 Mon Sep 17 00:00:00 2001 From: Daniel Han Date: Sat, 16 May 2026 13:29:56 +0000 Subject: [PATCH] ci(lockfile_supply_chain_audit): scope defaults to the no-args case When a caller passes an explicit --npm-lockfile or --cargo-lockfile, they are scoping the scan to the paths they listed; the script was still silently grafting the other ecosystem's defaults on top, which meant `--npm-lockfile X` would also audit DEFAULT_CARGO_LOCKFILES. With the missing-lockfile Finding now emitted, that surfaced as a false positive whenever a caller explicitly scoped only one ecosystem. Default fallback is now reserved for the no-args CI invocation, where every default path is expected to exist. --- scripts/lockfile_supply_chain_audit.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/scripts/lockfile_supply_chain_audit.py b/scripts/lockfile_supply_chain_audit.py index 93047191c..c581b8b31 100644 --- a/scripts/lockfile_supply_chain_audit.py +++ b/scripts/lockfile_supply_chain_audit.py @@ -751,8 +751,18 @@ def main(argv: list[str] | None = None) -> int: return 0 root = Path(args.root).resolve() - npm_paths = [root / p for p in (args.npm_lockfile or DEFAULT_NPM_LOCKFILES)] - cargo_paths = [root / p for p in (args.cargo_lockfile or DEFAULT_CARGO_LOCKFILES)] + # When the user passes an explicit `--npm-lockfile` or + # `--cargo-lockfile` they are scoping the scan to exactly those + # paths; do NOT silently graft the other ecosystem's defaults on + # top. Falling back to defaults is reserved for the no-args CI + # invocation, where every default path must exist. + _user_explicit = args.npm_lockfile is not None or args.cargo_lockfile is not None + if _user_explicit: + npm_paths = [root / p for p in (args.npm_lockfile or ())] + cargo_paths = [root / p for p in (args.cargo_lockfile or ())] + else: + npm_paths = [root / p for p in DEFAULT_NPM_LOCKFILES] + cargo_paths = [root / p for p in DEFAULT_CARGO_LOCKFILES] all_findings: list[Finding] = [] for p in npm_paths: