diff --git a/.github/workflows/build-js.yml b/.github/workflows/build-js.yml index 77598517c..258957ba6 100644 --- a/.github/workflows/build-js.yml +++ b/.github/workflows/build-js.yml @@ -13,9 +13,8 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: pnpm/action-setup@v2 - with: - version: 9.0.6 + # Version is read from the root package.json "packageManager" field. + - uses: pnpm/action-setup@v4 - uses: actions/setup-node@v4 with: node-version-file: '.node-version' diff --git a/.github/workflows/publish-npm-package.yml b/.github/workflows/publish-npm-package.yml index 684b8b0c9..334ab5e57 100644 --- a/.github/workflows/publish-npm-package.yml +++ b/.github/workflows/publish-npm-package.yml @@ -29,9 +29,8 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: pnpm/action-setup@v2 - with: - version: 9.15.4 + # Version is read from the root package.json "packageManager" field. + - uses: pnpm/action-setup@v4 - uses: actions/setup-node@v4 with: node-version-file: ".node-version" diff --git a/package.json b/package.json index 4e4de6155..d43606a47 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,7 @@ { "name": "OpenUI", "version": "1.0.0", + "packageManager": "pnpm@11.9.0", "engines": { "node": "24.18.0" }, @@ -47,17 +48,5 @@ }, "bugs": { "url": "https://github.com/thesysdev/openui/issues" - }, - "pnpm": { - "overrides": { - "langsmith@<0.6.0": "^0.6.0", - "ip-address@<10.1.1": ">=10.1.1", - "postcss@<8.5.10": ">=8.5.10", - "qs@<6.15.2": ">=6.15.2", - "uuid@<11.1.1": "^11.1.1", - "cookie@<0.7.0": ">=0.7.0", - "prismjs@<1.30.0": ">=1.30.0", - "@ai-sdk/provider-utils@<=3.0.97": "^4.0.27" - } } } diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 58e5a2736..44bd4f470 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -4,6 +4,46 @@ packages: - "docs/" - "!**/src/templates/**" +# --- Supply-chain hardening (pnpm 11+) --- +# Lifecycle (preinstall/install/postinstall) scripts are blocked by default in +# pnpm 11. Every dependency that has a build script must be explicitly decided +# here (true = allowed to run, false = blocked). Anything not listed is blocked +# AND re-prompts on install, so we list all of them. Keep `true` minimal and +# limited to dependencies that genuinely need a native/binary build. +allowBuilds: + # Native/binary builds we actually need: + "@parcel/watcher": true # native file-watcher (nitropack/vite) + esbuild: true # fetches the platform binary + sharp: true # native libvips image processing + unrs-resolver: true # native module-resolution binding + # Intentionally blocked (telemetry / cosmetic / unnecessary): + "@google/genai": false # preinstall notice only + "@scarf/scarf": false # analytics/telemetry beacon + core-js: false # postinstall console ad + protobufjs: false # not needed at install time + +# Cooldown: refuse to install package versions published less than this many +# minutes ago. Defends against freshly-published compromised releases +# (e.g. self-propagating npm worms) by giving the ecosystem time to react. +# 1440 = 24h. Raise for stronger protection at the cost of update latency. +minimumReleaseAge: 1440 + +# Make sure node_modules matches the lockfile before running any script, so +# scripts never execute against a stale or tampered-with dependency tree. +verifyDepsBeforeRun: install + +# Security overrides for known-vulnerable transitive dependencies (CVE pins). +# pnpm 11 reads overrides from here, NOT from the package.json "pnpm" field. +overrides: + "langsmith@<0.6.0": "^0.6.0" + "ip-address@<10.1.1": ">=10.1.1" + "postcss@<8.5.10": ">=8.5.10" + "qs@<6.15.2": ">=6.15.2" + "uuid@<11.1.1": "^11.1.1" + "cookie@<0.7.0": ">=0.7.0" + "prismjs@<1.30.0": ">=1.30.0" + "@ai-sdk/provider-utils@<=3.0.97": "^4.0.27" + # Centralized dependency versions shared across packages. # Reference these from a package.json with the "catalog:" protocol. catalog: