chore(pnpm): supply-chain hardening (lifecycle allowlist, release-age cooldown, overrides migration)#688
Draft
Shinyaigeek wants to merge 2 commits into
Draft
Conversation
Standardize the toolchain on Node.js 24.18.0 (current LTS, "Krypton"): - Add a `.node-version` file so local tooling (nvm/fnm/mise/Volta) and CI resolve the same Node version. - Have both GitHub Actions workflows read the version from `.node-version` via `node-version-file` instead of a hardcoded `node-version: 20`, keeping a single source of truth. - Declare the requirement in package.json `engines.node` (exact match to `.node-version`). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Harden the pnpm setup against supply-chain attacks. Requires Node >= 22.13 (pnpm 11), hence stacked on the Node 24 bump. - Pin pnpm via `packageManager: pnpm@11.9.0`; both workflows now resolve it from that field through `pnpm/action-setup@v4` (single source of truth, replacing the divergent 9.0.6 / 9.15.4 pins). - Block lifecycle scripts by default (pnpm 11) and allow only the few deps that genuinely need a native build via `allowBuilds`; telemetry/cosmetic scripts (@scarf/scarf, core-js, protobufjs, @google/genai) stay blocked. - Add `minimumReleaseAge: 1440` (24h cooldown) to avoid installing freshly-published, potentially-compromised releases. - Add `verifyDepsBeforeRun: install` so scripts never run against a stale or tampered dependency tree. - Migrate the CVE-pin `overrides` from the package.json `pnpm` field to `pnpm-workspace.yaml` (pnpm 11 no longer reads the package.json field). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Supply-chain hardening for pnpm.
Changes (this PR)
packageManager: pnpm@11.9.0; both workflows resolve it from that field throughpnpm/action-setup@v4— single source of truth, replacing the divergent9.0.6/9.15.4pins.allowBuilds(@parcel/watcher,esbuild,sharp,unrs-resolver). Telemetry/cosmetic scripts stay blocked:@scarf/scarf,core-js,protobufjs,@google/genai.minimumReleaseAge: 1440(24h) — refuses to install versions published in the last day, mitigating self-propagating npm worms.verifyDepsBeforeRun: install— scripts never run against a stale/tampered dependency tree.overridesfrom the package.jsonpnpmfield topnpm-workspace.yaml. pnpm 11 no longer reads the package.json field — without this move the CVE pins would silently stop applying.Test plan / validation
Validated locally with Node 24.18.0 + pnpm 11.9.0 (
pnpm install --frozen-lockfile):pnpm-lock.yamlunchangedallowBuildshonored —esbuild/sharp/unrs-resolver/@parcel/watcherbuild; the four telemetry/cosmetic scripts do not run; noERR_PNPM_IGNORED_BUILDS🤖 Generated with Claude Code