Tighten pnpm supply-chain controls and refresh CI#17
Open
gndelia wants to merge 5 commits into
Open
Conversation
Adopt three pnpm 10 settings that strengthen supply-chain integrity: - blockExoticSubdeps: reject non-registry sources in transitive deps - lockfileIncludeTarballUrl: pin exact tarball URLs in the lockfile - trustPolicy: no-downgrade: refuse versions whose provenance attestation regressed compared to earlier releases trustPolicy: no-downgrade rejects @noble/hashes@1.7.0 and @noble/curves@1.8.0 (both published 2025-01-03 without attestation, exact-pinned by @walletconnect/relay-auth@1.1.0). Override them to the next attested patches (1.8.0 / 1.8.1), which are already in the tree via other deps.
Pin js-checks and npm-publish to the v1.2.0 release of the hemilabs/.github shared workflows (annotated with the tag for readability). Trim the test matrix to Node 22 and 24 now that Node 20 is no longer in active LTS.
Generated by `pnpm audit --fix`. Skipped one of its suggestions, `ajv@<6.14.0: '>=6.14.0'`: the replacement is unbounded, so pnpm deduped @eslint/eslintrc's `ajv@^6.12.4` against an existing ajv 8.x in the tree and broke ESLint (it relies on ajv 6's API). The advisory's fix version 6.14.0 doesn't exist anyway — 6.12.6 is the latest 6.x.
There was a problem hiding this comment.
Pull request overview
This PR hardens dependency installation and CI for the React hooks package by adding pnpm supply-chain controls, refreshing shared GitHub workflows, narrowing CI Node versions, and bumping the package version.
Changes:
- Adds pnpm supply-chain settings and transitive dependency overrides.
- Updates shared CI/publish workflow references to v1.2.0.
- Bumps package version to 1.6.0 and removes Node 20 from the CI matrix.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
pnpm-workspace.yaml |
Adds pnpm hardening settings and audit-driven dependency overrides. |
package.json |
Bumps package version to 1.6.0. |
.github/workflows/npm-publish.yml |
Updates reusable npm publish workflow reference. |
.github/workflows/js-checks.yml |
Updates reusable JS checks workflow and CI Node matrix. |
Comments suppressed due to low confidence (2)
pnpm-workspace.yaml:51
- This group also redirects vulnerable Hono 4.x ranges to an unbounded
>=4.xtarget. If Hono 5+ is published before a future lockfile refresh, pnpm may install that major for dependencies that asked for Hono 4, turning this security override into a compatibility break. Please cap or pin the replacement within the known-compatible major.
hono@<4.11.10: ">=4.11.10"
hono@<4.12.12: ">=4.12.12"
hono@<4.12.14: ">=4.12.14"
hono@<4.12.16: ">=4.12.16"
hono@<4.12.18: ">=4.12.18"
hono@<4.12.4: ">=4.12.4"
hono@<4.12.7: ">=4.12.7"
hono@>=4.0.0 <=4.12.11: ">=4.12.12"
pnpm-workspace.yaml:66
- The Vite override is also open-ended, so a future lockfile regeneration can satisfy a Vite 7 advisory with Vite 8+ even for transitive packages that requested Vite 7. That can change plugin APIs and engine requirements unexpectedly; please pin or bound the override to the fixed Vite 7 range unless a major upgrade is intentional and tested.
vite@>=7.0.0 <=7.3.1: ">=7.3.2"
vite@>=7.1.0 <=7.3.1: ">=7.3.2"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
gabmontes
reviewed
May 15, 2026
|
|
||
| packages: | ||
| - "." | ||
| overrides: |
Contributor
There was a problem hiding this comment.
Too many overrides. Seems fragile and smells...
Contributor
Author
There was a problem hiding this comment.
It comes from running pnpm audit --fix - not from AI. Thoughts?
Sequential `pnpm audit --fix` runs accumulated overlapping entries where later, stronger ranges subsume earlier ones (e.g. four axios entries collapse to one). Drops 18 subsumed entries spanning axios, fast-uri, flatted, h3, hono, lodash, minimatch, and vite. Also restores the `# 7 days in minutes` comment on `minimumReleaseAge` lost during the prior reorganization. The lockfile re-renders under pnpm 10.28.1 (single-quoted YAML, more compact resolution blocks) but resolves the same 1989 packages — no version drift. Typecheck, lint, tests, and build all pass.
ArturDolzan
approved these changes
May 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Sweep of pnpm and CI hardening on this branch:
blockExoticSubdeps,lockfileIncludeTarballUrl,trustPolicy: no-downgrade,minimumReleaseAge, etc.)pnpm audit --fixoverrides for vulnerable transitive deps. One suggested override (ajv@<6.14.0: '>=6.14.0') was skipped — its unbounded replacement deduped@eslint/eslintrc's ajv 6.x against an existing ajv 8.x in the tree and broke ESLintCommits:
Screenshots
N/A
Related issue(s)
N/A
Checklist