Skip to content

chore: check in devcontainer-lock.json#835

Merged
qw-in merged 1 commit into
mainfrom
quinn/devcontainer-lock
Jun 12, 2026
Merged

chore: check in devcontainer-lock.json#835
qw-in merged 1 commit into
mainfrom
quinn/devcontainer-lock

Conversation

@qw-in

@qw-in qw-in commented Jun 12, 2026

Copy link
Copy Markdown
Member

VSCode now generates devcontainer lockfiles which I've checked in here to help with supply chain hardening.

@qw-in qw-in self-assigned this Jun 12, 2026
@vercel

vercel Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
arcjet-docs Ready Ready Preview, Comment Jun 12, 2026 9:17pm

Request Review

arcjet-review[bot]
arcjet-review Bot approved these changes Jun 12, 2026
View reviewed changes

@arcjet-review arcjet-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arcjet Review — 🟢 Low Risk

Decision: Approved

Rationale: This PR only adds a new devcontainer-lock.json file pinning four devcontainer features to specific versions with sha256 integrity hashes. Lock files improve supply chain security by ensuring reproducible builds and tamper detection. No code changes, no auth/secret/injection surface area. Security review checklist found no concerns.

Summary of Changes

Adds a new .devcontainer/devcontainer-lock.json that pins four devcontainer features (astral.sh-uv, common-utils, github-cli, trunk) to specific versions with sha256 integrity digests for reproducible devcontainer builds.

Notes

Lock files improve supply chain integrity by pinning content-addressable digests. Consider documenting how to regenerate this file (e.g., devcontainer features info/CLI) so contributors can refresh pins without ambiguity.

Review: eea476b4 | Model: anthropic/claude-opus-4-7 | Powered by Arcjet Review

@qw-in qw-in enabled auto-merge June 12, 2026 21:13
@qw-in qw-in added this pull request to the merge queue Jun 12, 2026
Merged via the queue into main with commit 817d0de Jun 12, 2026
11 checks passed
@qw-in qw-in deleted the quinn/devcontainer-lock branch June 12, 2026 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arcjet-review arcjet-review[bot] arcjet-review[bot] approved these changes

Assignees

@qw-in qw-in

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@qw-in