From 1dec3b82d6d122852cb8d3e1871f38f751d92cbf Mon Sep 17 00:00:00 2001
From: Ankitsinghsisodya <ankitsingh24012005@gmail.com>
Date: Wed, 1 Apr 2026 23:58:53 +0530
Subject: [PATCH] ci: pin all npm dependencies in update-quarkus and
 update-springboot workflows

xml2js, yaml, and semver were installed without version constraints,
pulling the latest release on every run. This breaks reproducibility
and creates a dependency confusion vector. Pin to known-good versions.

Closes knative/func#3562
---
 .github/workflows/update-quarkus-platform.yaml    | 2 +-
 .github/workflows/update-springboot-platform.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/update-quarkus-platform.yaml b/.github/workflows/update-quarkus-platform.yaml
index 560cd850ac..8a37393818 100644
--- a/.github/workflows/update-quarkus-platform.yaml
+++ b/.github/workflows/update-quarkus-platform.yaml
@@ -24,7 +24,7 @@ jobs:
           java-version: 21
           distribution: 'temurin'
       - name: Install NPM deps.
-        run: npm install xml2js octokit@3.2.1
+        run: npm install xml2js@0.6.2 octokit@3.2.1
       - name: Create PR
         env:
           GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/update-springboot-platform.yaml b/.github/workflows/update-springboot-platform.yaml
index b41c681354..22998ea6dd 100644
--- a/.github/workflows/update-springboot-platform.yaml
+++ b/.github/workflows/update-springboot-platform.yaml
@@ -24,7 +24,7 @@ jobs:
           java-version: 21
           distribution: 'temurin'
       - name: Install NPM deps.
-        run: npm install xml2js octokit@3.2.1 yaml semver
+        run: npm install xml2js@0.6.2 octokit@3.2.1 yaml@2.4.5 semver@7.6.3
       - name: Create PR
         env:
           GITHUB_TOKEN: ${{ github.token }}