Skip to content

chore: harden supply chain security#11

Merged
nick134-bit merged 6 commits into
mainfrom
chore/hardening-deps-pipeline
May 18, 2026
Merged

chore: harden supply chain security#11
nick134-bit merged 6 commits into
mainfrom
chore/hardening-deps-pipeline

Conversation

@nick134-bit

Copy link
Copy Markdown

Add nonce-based CSP via middleware to block injected scripts, thread
nonce through to the inline theme script, add HSTS/Referrer/Permissions
policy headers, pin pnpm@9.15.4 and upgrade Node 19→22 in Dockerfile,
pin actions/checkout to commit SHA, add .npmrc with audit-level=high,
and enforce a 7-day minimum package age via pnpm-workspace.yaml.

Add nonce-based CSP via middleware to block injected scripts, thread
  nonce through to the inline theme script, add HSTS/Referrer/Permissions
  policy headers, pin pnpm@9.15.4 and upgrade Node 19→22 in Dockerfile,
  pin actions/checkout to commit SHA, add .npmrc with audit-level=high,
  and enforce a 7-day minimum package age via pnpm-workspace.yaml.
@nick134-bit nick134-bit merged commit 7a0734a into main May 18, 2026
1 check passed
zJuuu added a commit that referenced this pull request May 19, 2026
…rk#23)

* chore: simplify onboarding

* chore: check verification via api

* chore: harden supply chain security (#11)

* fix: correct pnpm build allowlist key in workspace config

Rename the `allowBuilds` map to `onlyBuiltDependencies` list in
pnpm-workspace.yaml so pnpm actually recognizes the allowlist and runs
the install scripts for esbuild, sharp, and unrs-resolver. Pin
packageManager to pnpm@10.33.4 to match.

* fix: align pnpm 11 config and propagate to runtime image

- Pin packageManager to pnpm@11.1.0 (matches Dockerfile corepack stages).
- Move `overrides` and switch back to `allowBuilds` map in pnpm-workspace.yaml
  — both are the pnpm v11 schema (v11 removed `pnpm.overrides` from
  package.json and the old `onlyBuiltDependencies` key).
- Copy pnpm-workspace.yaml and pnpm-lock.yaml into the production stage
  so pnpm v11's deps-status-check at startup sees `allowBuilds` and
  doesn't trip `ERR_PNPM_IGNORED_BUILDS`.
- Set `CI=true` in the build stage so pnpm doesn't prompt-then-abort on
  modules dir purge in non-TTY.

---------

Co-authored-by: nick134 <nick134-bit@proton.me>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants