@grafana/create-plugin 7.7.0-canary.2621.26422794927.0 → 7.7.0

package/CHANGELOG.md

@@ -1,3 +1,39 @@
+# v7.7.0 (Fri May 29 2026)
+
+#### 🚀 Enhancement
+
+- feat: replace insecure sign script [#2656](https://github.com/grafana/plugin-tools/pull/2656) ([@jackw](https://github.com/jackw))
+
+#### Authors: 1
+
+- Jack Westbrook ([@jackw](https://github.com/jackw))
+
+---
+
+# v7.6.2 (Wed May 27 2026)
+
+#### 🐛 Bug Fix
+
+- fix: pin dependencies for better security [#2658](https://github.com/grafana/plugin-tools/pull/2658) ([@jackw](https://github.com/jackw))
+
+#### Authors: 1
+
+- Jack Westbrook ([@jackw](https://github.com/jackw))
+
+---
+
+# v7.6.1 (Tue May 26 2026)
+
+#### 🐛 Bug Fix
+
+- fix(create-plugin): make playwright report publishing opt-in [#2640](https://github.com/grafana/plugin-tools/pull/2640) ([@sunker](https://github.com/sunker))
+
+#### Authors: 1
+
+- Erik Sundell ([@sunker](https://github.com/sunker))
+
+---
+
 # v7.6.0 (Thu May 14 2026)
 
 #### 🚀 Enhancement

package/dist/codemods/migrations/migrations.js

@@ -60,6 +60,12 @@ var defaultMigrations = [
     version: "7.4.1",
     description: "Fix ts-node compatibility with the latest @grafana/tsconfig: outdated module/moduleResolution/target overrides break TypeScript 5/6 builds, replaced with nodenext/nodenext/es2022.",
     scriptPath: import.meta.resolve("./scripts/010-ts-node-nodenext.js")
+  },
+  {
+    name: "011-secure-sign-script",
+    version: "7.6.3",
+    description: "Security: replace insecure inline `npx --yes @grafana/sign-plugin@latest` sign script with a locked @grafana/sign-plugin devDependency to prevent arbitrary code execution from a compromised @latest publish.",
+    scriptPath: import.meta.resolve("./scripts/011-secure-sign-script.js")
   }
   // Do not use LEGACY_UPDATE_CUTOFF_VERSION for new migrations. It is only used above to force migrations to run
   // for those written before the switch to updates as migrations.

package/dist/codemods/migrations/scripts/011-secure-sign-script.js

@@ -0,0 +1,22 @@
+import { addDependenciesToPackageJson } from '../../utils.js';
+
+const SIGN_PLUGIN_VERSION = "^3.2.2";
+const NEW_SIGN_SCRIPT = "sign-plugin";
+const INSECURE_SIGN_PATTERN = /^npx\s+(?:--yes|-y)\s+@grafana\/sign-plugin(?:@\S+)?(\s.*)?$/;
+function migrate(context) {
+  if (!context.doesFileExist("package.json")) {
+    return context;
+  }
+  const packageJson = JSON.parse(context.getFile("package.json") || "{}");
+  const currentSign = packageJson.scripts?.sign;
+  const match = currentSign?.match(INSECURE_SIGN_PATTERN);
+  if (match) {
+    const trailingArgs = match[1] ?? "";
+    packageJson.scripts.sign = `${NEW_SIGN_SCRIPT}${trailingArgs}`;
+    context.updateFile("package.json", JSON.stringify(packageJson, null, 2));
+  }
+  addDependenciesToPackageJson(context, {}, { "@grafana/sign-plugin": SIGN_PLUGIN_VERSION });
+  return context;
+}
+
+export { migrate as default };

package/package.json

@@ -1,7 +1,8 @@
 {
   "name": "@grafana/create-plugin",
-  "version": "7.7.0-canary.2621.26422794927.0",
+  "version": "7.7.0",
   "repository": {
+    "type": "git",
     "directory": "packages/create-plugin",
     "url": "https://github.com/grafana/plugin-tools"
   },
@@ -25,35 +26,35 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@babel/parser": "^7.28.5",
-    "@ivanmaxlogiudice/gitignore": "^0.0.2",
-    "change-case": "^5.4.0",
-    "debug": "^4.3.4",
-    "enquirer": "^2.4.1",
-    "find-up": "^8.0.0",
-    "glob": "^13.0.0",
-    "handlebars": "^4.7.8",
-    "jsonc-parser": "^3.3.1",
-    "minimist": "^1.2.8",
-    "recast": "^0.23.11",
-    "semver": "^7.3.5",
-    "title-case": "^4.3.0",
-    "valibot": "^1.2.0",
-    "which": "^6.0.0",
-    "yaml": "^2.7.0"
+    "@babel/parser": "7.29.0",
+    "@ivanmaxlogiudice/gitignore": "0.0.2",
+    "change-case": "5.4.4",
+    "debug": "4.4.3",
+    "enquirer": "2.4.1",
+    "find-up": "8.0.0",
+    "glob": "13.0.6",
+    "handlebars": "4.7.9",
+    "jsonc-parser": "3.3.1",
+    "minimist": "1.2.8",
+    "recast": "0.23.11",
+    "semver": "7.7.2",
+    "title-case": "4.3.2",
+    "valibot": "1.2.0",
+    "which": "6.0.1",
+    "yaml": "2.9.0"
   },
   "devDependencies": {
-    "@libs/output": "^1.0.3",
-    "@libs/version": "^1.0.2",
-    "@types/glob": "^9.0.0",
-    "@types/minimist": "^1.2.5",
-    "@types/semver": "^7.7.1",
-    "@types/tmp": "^0.2.6",
-    "@types/which": "^3.0.4",
-    "tmp": "^0.2.5"
+    "@libs/output": "1.0.3",
+    "@libs/version": "1.0.2",
+    "@types/glob": "9.0.0",
+    "@types/minimist": "1.2.5",
+    "@types/semver": "7.7.1",
+    "@types/tmp": "0.2.6",
+    "@types/which": "3.0.4",
+    "tmp": "0.2.5"
   },
   "engines": {
     "node": ">=20"
   },
-  "gitHead": "1b868b834fa161f08573f1a5863c1fa4ae455735"
+  "gitHead": "57e7611bcbbd068694bda70df57fa86008dd3353"
 }

package/src/codemods/migrations/migrations.ts

@@ -71,6 +71,13 @@ export default [
       'Fix ts-node compatibility with the latest @grafana/tsconfig: outdated module/moduleResolution/target overrides break TypeScript 5/6 builds, replaced with nodenext/nodenext/es2022.',
     scriptPath: import.meta.resolve('./scripts/010-ts-node-nodenext.js'),
   },
+  {
+    name: '011-secure-sign-script',
+    version: '7.6.3',
+    description:
+      'Security: replace insecure inline `npx --yes @grafana/sign-plugin@latest` sign script with a locked @grafana/sign-plugin devDependency to prevent arbitrary code execution from a compromised @latest publish.',
+    scriptPath: import.meta.resolve('./scripts/011-secure-sign-script.js'),
+  },
   // Do not use LEGACY_UPDATE_CUTOFF_VERSION for new migrations. It is only used above to force migrations to run
   // for those written before the switch to updates as migrations.
 ] satisfies Migration[];

package/src/codemods/migrations/scripts/011-secure-sign-script.test.ts

@@ -0,0 +1,124 @@
+import { describe, expect, it } from 'vitest';
+import migrate from './011-secure-sign-script.js';
+import { Context } from '../../context.js';
+
+describe('011-secure-sign-script', () => {
+  it('should replace insecure sign script and add @grafana/sign-plugin devDependency', () => {
+    const context = new Context('/virtual');
+    context.addFile(
+      'package.json',
+      JSON.stringify({
+        scripts: {
+          sign: 'npx --yes @grafana/sign-plugin@latest',
+        },
+        devDependencies: {
+          '@grafana/tsconfig': '^2.0.1',
+        },
+      })
+    );
+
+    const result = migrate(context);
+    const packageJson = JSON.parse(result.getFile('package.json') || '{}');
+
+    expect(packageJson.scripts.sign).toBe('sign-plugin');
+    expect(packageJson.devDependencies['@grafana/sign-plugin']).toBe('^3.2.2');
+    expect(packageJson.devDependencies['@grafana/tsconfig']).toBe('^2.0.1');
+  });
+
+  it('should preserve trailing CLI flags when rewriting the sign script', () => {
+    const context = new Context('/virtual');
+    context.addFile(
+      'package.json',
+      JSON.stringify({
+        scripts: {
+          sign: 'npx --yes @grafana/sign-plugin@latest --rootUrls https://example.com/grafana',
+        },
+        devDependencies: {},
+      })
+    );
+
+    const result = migrate(context);
+    const packageJson = JSON.parse(result.getFile('package.json') || '{}');
+
+    expect(packageJson.scripts.sign).toBe('sign-plugin --rootUrls https://example.com/grafana');
+    expect(packageJson.devDependencies['@grafana/sign-plugin']).toBe('^3.2.2');
+  });
+
+  it('should match the -y short flag as well as --yes', () => {
+    const context = new Context('/virtual');
+    context.addFile(
+      'package.json',
+      JSON.stringify({
+        scripts: {
+          sign: 'npx -y @grafana/sign-plugin@latest',
+        },
+        devDependencies: {},
+      })
+    );
+
+    const result = migrate(context);
+    const packageJson = JSON.parse(result.getFile('package.json') || '{}');
+
+    expect(packageJson.scripts.sign).toBe('sign-plugin');
+  });
+
+  it('should leave a customised sign script alone but still add the devDependency', () => {
+    const context = new Context('/virtual');
+    const customSign = './scripts/my-custom-sign.sh';
+    context.addFile(
+      'package.json',
+      JSON.stringify({
+        scripts: {
+          sign: customSign,
+        },
+        devDependencies: {},
+      })
+    );
+
+    const result = migrate(context);
+    const packageJson = JSON.parse(result.getFile('package.json') || '{}');
+
+    expect(packageJson.scripts.sign).toBe(customSign);
+    expect(packageJson.devDependencies['@grafana/sign-plugin']).toBe('^3.2.2');
+  });
+
+  it('should be a no-op when already migrated', () => {
+    const context = new Context('/virtual');
+    const original = JSON.stringify({
+      scripts: {
+        sign: 'sign-plugin',
+      },
+      devDependencies: {
+        '@grafana/sign-plugin': '^3.2.2',
+      },
+    });
+    context.addFile('package.json', original);
+
+    const result = migrate(context);
+
+    expect(result.getFile('package.json')).toBe(original);
+  });
+
+  it('should be a no-op when package.json does not exist', () => {
+    const context = new Context('/virtual');
+
+    const result = migrate(context);
+
+    expect(result.hasChanges()).toBe(false);
+  });
+
+  it('should be idempotent', async () => {
+    const context = new Context('/virtual');
+    context.addFile(
+      'package.json',
+      JSON.stringify({
+        scripts: {
+          sign: 'npx --yes @grafana/sign-plugin@latest',
+        },
+        devDependencies: {},
+      })
+    );
+
+    await expect(migrate).toBeIdempotent(context);
+  });
+});

package/src/codemods/migrations/scripts/011-secure-sign-script.ts

@@ -0,0 +1,26 @@
+import type { Context } from '../../context.js';
+import { addDependenciesToPackageJson } from '../../utils.js';
+
+const SIGN_PLUGIN_VERSION = '^3.2.2';
+const NEW_SIGN_SCRIPT = 'sign-plugin';
+const INSECURE_SIGN_PATTERN = /^npx\s+(?:--yes|-y)\s+@grafana\/sign-plugin(?:@\S+)?(\s.*)?$/;
+
+export default function migrate(context: Context) {
+  if (!context.doesFileExist('package.json')) {
+    return context;
+  }
+
+  const packageJson = JSON.parse(context.getFile('package.json') || '{}');
+  const currentSign: string | undefined = packageJson.scripts?.sign;
+  const match = currentSign?.match(INSECURE_SIGN_PATTERN);
+
+  if (match) {
+    const trailingArgs = match[1] ?? '';
+    packageJson.scripts.sign = `${NEW_SIGN_SCRIPT}${trailingArgs}`;
+    context.updateFile('package.json', JSON.stringify(packageJson, null, 2));
+  }
+
+  addDependenciesToPackageJson(context, {}, { '@grafana/sign-plugin': SIGN_PLUGIN_VERSION });
+
+  return context;
+}

package/templates/common/_package.json

@@ -11,13 +11,14 @@
     "lint:fix": "{{ packageManagerName }} run lint{{#if isNPM}} --{{/if}} --fix && prettier --write --list-different .",
     "e2e": "playwright test",
     "server": "docker compose up --build",
-    "sign": "npx --yes @grafana/sign-plugin@latest"
+    "sign": "sign-plugin"
   },
   "author": "{{ sentenceCase orgName }}",
   "license": "Apache-2.0",
   "devDependencies": {
     "@grafana/eslint-config": "^9.0.0",
     "@grafana/plugin-e2e": "^3.6.1",
+    "@grafana/sign-plugin": "^3.2.2",
     "@grafana/tsconfig": "^2.0.1",
     "@playwright/test": "^1.57.0",{{#if useExperimentalRspack}}
     "@rspack/core": "^1.6.0",