chore: designate code owners for all npm and yarn related files

[elikmiller]

Description

Designates codeowners for all NPM/Yarn related dependency management files

Motivation and Context

Resolves BED-6491

This is a proactive and preventative measure against the recently reported "Shai-Hulud" malware campaign.
See https://www.koi.security/blog/shai-hulud-npm-supply-chain-attack-crowdstrike-tinycolor for more details.

Summary by CodeRabbit

• Chores
  • Introduced repository code ownership rules for package manager–related changes, assigning designated maintainers for faster, more consistent reviews.
  • Improves accountability and clarity in the review process by specifying who reviews updates to dependency and workspace configurations.
  • Clarifies rule precedence to avoid ambiguity, ensuring the correct owners are requested for relevant changes.

[coderabbitai]

Walkthrough

Adds a new .github/CODEOWNERS file that defines ownership rules for NPM/Yarn-related files, mapping them to @superlinkx and @elikmiller, and notes that the last matching rule wins.

Changes

Cohort / File(s)	Summary
Code ownership configuration .github/CODEOWNERS	New CODEOWNERS file. Assigns @superlinkx and @elikmiller to patterns: **/package.json, **/package-lock.json, **/.yarn/**, **/.yarnrc, **/.yarnrc.yml, **/yarn.lock, **/yarn-workspaces.json. Notes precedence: last matching rule wins.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

I twitch my whiskers, sign my name,
On locks and yarns I stake my claim;
Two caretakers guard the repo’s den,
For packages penned by diligent pen.
Thump-thump! The owners’ rules align—
Last match wins; all builds stay fine. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "chore: designate code owners for all npm and yarn related files" is a concise, single-sentence summary that accurately reflects the main change (adding a CODEOWNERS entry for NPM/Yarn files). It is specific enough for a teammate scanning history to understand the primary intent and uses an appropriate "chore:" prefix. Therefore it meets the repository's title requirements.
Description Check	✅ Passed	The PR description provides a clear Description, a Motivation and Context section that includes "Resolves BED-6491", and an external reference link, satisfying the repository's requirement for an associated ticket and core rationale. The template's "How Has This Been Tested?", "Types of changes", and checklist sections are not present. Because this is a low-risk chore and the essential information and ticket reference are provided, the description is mostly complete.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch BED-6491

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.github/CODEOWNERS (3)

5-11: Broaden coverage (.npmrc, npm-shrinkwrap) and simplify globs.

• Add .npmrc and npm-shrinkwrap.json (often security‑sensitive and dependency‑locking).
• Optional: drop the leading **/ for readability; bare patterns already match anywhere.

 # NPM and Yarn files
-**/package.json              @superlinkx @elikmiller
-**/package-lock.json         @superlinkx @elikmiller
-**/.yarn/**                  @superlinkx @elikmiller
-**/.yarnrc                   @superlinkx @elikmiller
-**/.yarnrc.yml               @superlinkx @elikmiller
-**/yarn.lock                 @superlinkx @elikmiller
-**/yarn-workspaces.json      @superlinkx @elikmiller
+package.json              @superlinkx @elikmiller
+package-lock.json         @superlinkx @elikmiller
+npm-shrinkwrap.json       @superlinkx @elikmiller
+.npmrc                    @superlinkx @elikmiller
+.yarn/**                  @superlinkx @elikmiller
+.yarnrc                   @superlinkx @elikmiller
+.yarnrc.yml               @superlinkx @elikmiller
+yarn.lock                 @superlinkx @elikmiller
+yarn-workspaces.json      @superlinkx @elikmiller

---

5-11: Prefer team aliases over individuals.

To reduce bus factor and maintenance, consider a team (e.g., @SpecterOps/npm-owners) instead of direct user handles. If you create the team, swap it into all rules.

---

5-11: Enforce via branch protection.

Make sure “Require review from Code Owners” is enabled on main so these entries actually gate merges, especially given the Shai‑Hulud supply‑chain concern.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 121eed8 and f10222c.

📒 Files selected for processing (1)

• .github/CODEOWNERS (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build BloodHound Container Image / Build and Package Container
• GitHub Check: run-tests
• GitHub Check: build-ui
• GitHub Check: run-tests
• GitHub Check: run-analysis

🔇 Additional comments (2)

.github/CODEOWNERS (2)

1-3: Good placement and guidance.

File is in a supported location and the “last matching rule wins” reminder is correct.

---

5-11: CODEOWNERS coverage OK — no changes required.

Script found: package.json (root), cmd/ui/package.json, packages/javascript/bh-shared-ui/package.json, packages/javascript/js-client-library/package.json, yarn-workspaces.json, yarn.lock, .yarnrc.yml. No package-lock.json or npm-shrinkwrap.json detected.