Dev Dependency Updates

[coliff]

This pull request introduces several improvements to CI workflows, dependency updates, and documentation. The main changes include adding a new OSSF Scorecard workflow to enhance supply-chain security, updating dependencies (notably htmlhint), and ensuring all GitHub Actions use pinned versions for better reliability and security.

CI/CD and Security Enhancements

• Added a new GitHub Actions workflow .github/workflows/ossf-scorecard.yml to run OSSF Scorecard analysis on the repository, improving supply-chain security by regularly assessing best practices and uploading results to code scanning.
• Updated all GitHub Actions in existing workflows to use pinned SHA-1 versions, including codeql-action and publish-vscode-extension, to prevent breaking changes from upstream updates. [1] [2] [3]

Dependency Updates

• Upgraded htmlhint from version 1.6.3 to 1.7.0 in both htmlhint and htmlhint-server packages, updating all relevant references in package.json and package-lock.json files. [1] [2] [3] [4] [5] [6] [7]
• Lowered the minimum Node.js engine requirement from >=20 to >=18 in both htmlhint and htmlhint-server to increase compatibility. [1] [2]
• Updated the Volta-managed Node.js version in the root package.json from 22.16.0 to 22.19.0.

Documentation and Miscellaneous

• Expanded .github/copilot-instructions.md with best practices for GitHub Actions, including workflow placement, naming conventions, version pinning, and security recommendations.
• Added "ossf" to the list of allowed words in .cspell.json to prevent spellcheck errors.
• Removed an unused linter validation option from the super-linter workflow.

[Copilot]

Pull Request Overview

This PR updates various dependencies and tools to their latest versions, with a focus on security and build improvements.

• Updates Node.js runtime from 22.16.0 to 22.19.0 in the root package
• Upgrades HTMLHint library from 1.6.3 to 1.7.0 across all packages
• Updates GitHub Actions workflows with pinned commit hashes and adds new OSSF Scorecard workflow
• Adds new spell check word "ossf" and removes deprecated GitHub Actions configuration

Reviewed Changes

Copilot reviewed 9 out of 11 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
package.json	Updates Node.js version to 22.19.0
htmlhint/package.json	Updates HTMLHint dependency to 1.7.0 in both dependencies and bundle script
htmlhint-server/package.json	Updates HTMLHint dependency to 1.7.0
.github/workflows/super-linter.yml	Removes deprecated VALIDATE_GITHUB_ACTIONS_ZIZMOR configuration
.github/workflows/publish.yml	Pins HaaLeo/publish-vscode-extension action to specific commit hash
.github/workflows/ossf-scorecard.yml	Adds new OSSF Scorecard security analysis workflow
.github/workflows/codeql-analysis.yml	Updates CodeQL action versions to v3.30.3 with pinned commit hashes
.github/copilot-instructions.md	Adds GitHub Actions best practices documentation
.cspell.json	Adds "ossf" to the spell check dictionary

Files not reviewed (2)

• htmlhint-server/package-lock.json: Language not supported
• htmlhint/package-lock.json: Language not supported

[gemini-code-assist]

Code Review

This pull request updates development dependencies, including htmlhint and the pinned Node.js version for Volta. The changes are generally good and improve the project's tooling. I've identified one area for improvement: there's an inconsistency in the Volta Node.js version between the root package.json and the htmlhint/package.json file. Aligning these versions will ensure a consistent development environment for all contributors.