depmedic / weekly / #1

depmedic weekly #1

2026-04-28 - depmedic - the inaugural issue

Hi. This is the first issue of depmedic weekly, a short letter for people who run GitHub Actions or npm at work and would like it to be cheaper, less leaky, and less lit on fire by surprise. Every Monday-ish: what shipped, one numbers piece, one pattern.

If you got this and don't want it, the unsubscribe link is at the bottom and it works.

This week: ci-doctor 0.5.0

Two new rules. Now 16 total. npx ci-doctor is unchanged.

• docker-no-pin warn security - flags container.image, services.<name>.image, and uses: docker://<ref> when the image reference uses a floating tag (:latest, :22, :alpine...). A silent registry update can change your build out from under you. Pin to image@sha256:<digest>.
• service-no-healthcheck warn cost - flags well-known service containers (postgres, mysql, redis, mongo, kafka, elasticsearch, opensearch, minio, memcached) declared without an --health-cmd in the options: block. Test steps that race the service start fail intermittently and burn re-run minutes that you actually pay for.

Same release, no breaking changes: v0.5.0 release notes · npm · docker-no-pin docs · service-no-healthcheck docs.

Numbers: the OSS pin bar is 59%

Across 20 famous OSS repos and 1,461 uses: references, 59.4% are pinned to a 40-character SHA. The rest float on a tag (@v4, @main) and inherit whatever the maintainer most recently tagged that way. Six repos hit 100% (deno, axios, express, jest, webpack, rollup). Four repos hit 0% (parcel, preact, react-router, got).

Full per-repo board, methodology, and the data: The Pin Bar 2026.

Pattern of the week: pin + Dependabot

Pinning to SHAs without enabling Dependabot for github-actions is a maintenance tax. You'll fall behind on security patches because tag updates won't reach you. Pair the two:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      actions-minor:
        update-types: ["minor", "patch"]

Dependabot will open one PR per week with all the action SHA bumps (grouped) and a summary of what changed. Add npx ci-doctor to a workflow on those PRs and you'll see if any of the bumps removed hardening you previously had.

Then run npx pin-actions once to convert any remaining unpinned @v4 tags to SHAs, and add npx pin-actions --check to your CI gate to keep new unpinned references from sneaking in.

Also shipped this week

• depmedic-bot - GitHub App. Auto-comments on every PR that touches a workflow file. Free for public repos. The Cloudflare Worker, the HMAC-verified webhook handler, the bundled audit engine, and the landing page are all live; the App registration is the only user-side step left.
• depmedic for VS Code & Cursor - inline lint as native Diagnostics. .vsix is at v0.2.0. Marketplace + Open VSX listings come this week.
• 107 npm package health pages + 107 embeddable badges + $9 Vendor Dossier PDF + $19/mo Org Dep Health Monitor.
• gitlab-ci-doctor 0.1.0 on npm + an in-browser scanner for GitLab pipelines.

Recommended links (no affiliate)

• GitHub's own security-hardening guide - the canonical reference for why pinning, minimum permissions, and OIDC matter.
• actionlint - syntax + expression linter for workflows. Complementary to ci-doctor; catches different things.
• The tj-actions/changed-files compromise writeup - the motivating example for why pinned-action-sha exists.

Reply

This is issue 1. If you have a thing you'd like benchmarked ("how often do popular repos do X?"), or a workflow pattern that you see everywhere and would like a teardown of, hit reply. Or email depmedicdev@gmail.com.

See you next week.