Fix vulnerability and switch to npm

[lucperkins]

Summary by CodeRabbit

• Chores
  • Switched package manager from pnpm to npm across the project.
  • Improved CI/CD pipeline with npm package caching for faster builds.
  • Updated dependency version constraints to ensure compatibility.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• dist/index.js is excluded by !**/dist/**

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d1a88fbe-9f8c-4b80-9829-ad2696e69d3c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR migrates the project's package management from pnpm to npm. Changes include updating the CI workflow to use npm ci and npm run with caching, removing pnpm from the development environment, updating build scripts, and replacing pnpm lockfile references with npm equivalents.

Changes

Cohort / File(s)	Summary
CI & Development Environment .github/workflows/ci.yml, flake.nix	Switched from pnpm install to npm ci, changed all task invocations to npm run, added npm cache configuration via actions/cache@v4, and replaced pnpm package with a blocking script in the Nix shell.
Package Manager Configuration package.json, .prettierignore	Updated the all script to invoke npm run instead of pnpm run, added brace-expansion override to 2.0.3, and replaced pnpm-lock.yaml with package-lock.json in ignore rules.
Dependency Resolution pnpm-workspace.yaml	Removed workspace configuration block for build allowances and added vite version resolution overrides for 7.1.0-7.1.10 and 7.1.0-7.1.4.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Update vite versions #218 — Both PRs add matching vite version resolution overrides to pnpm-workspace.yaml for the same version ranges.
• Update deps #259 — Related through pnpm-workspace.yaml modifications, though in opposite directions (this PR removes allowBuilds while the other adds it).

Suggested reviewers

• cole-h
• gustavderdrache

Poem

🐰 From pnpm to npm we leap today,
Hopping through workflows in a faster way,
Lock files replaced and caches renewed,
The nix shell blessed with npm's gratitude,
A migration swift, no more pnpm delays! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: fixing a vulnerability (brace-expansion override in package.json) and switching the project from pnpm to npm across CI, scripts, and build configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-vulns-switch-to-npm

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Line 35: The workflow currently uses a mutable tag "actions/cache@v4"; update
the step that references actions/cache to pin it to the full commit SHA
(0057852bfa1d2a6c5884b8e6588e233eb3b10a0d) so it becomes actions/cache@<sha>
(i.e., use the specific commit for the uses: entry) to avoid relying on a
mutable tag; locate the uses: actions/cache@v4 line in the CI workflow and
replace the tag with the provided SHA.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1e787728-954c-4059-ad93-4dadc12f02e8

📥 Commits

Reviewing files that changed from the base of the PR and between 1229b72 and 1ac9fbc.

⛔ Files ignored due to path filters (2)

• package-lock.json is excluded by !**/package-lock.json
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• .prettierignore
• flake.nix
• package.json
• pnpm-workspace.yaml

💤 Files with no reviewable changes (1)

• pnpm-workspace.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Resolve the current commit behind v4 so it can be pinned explicitly.
# Requires gh CLI auth in environments where API rate limits apply.
gh api repos/actions/cache/commits/v4 --jq '.sha'

Repository: DeterminateSystems/update-flake-lock

Length of output: 240

---

🏁 Script executed:

# Check the actual file content at line 35
sed -n '30,40p' .github/workflows/ci.yml

Repository: DeterminateSystems/update-flake-lock

Length of output: 524

---

🌐 Web query:

GitHub Actions actions/cache v4 commit SHA pinning best practices supply chain security

💡 Result:

Best practices for using GitHub Actions actions/cache@v4 with commit SHA pinning for supply chain security: 1. Pin to a full-length commit SHA instead of a tag like @v4. Tags are mutable and can be updated to malicious code by repository owners with write access, creating a supply chain attack vector. Full SHA pinning ensures immutability, as changing the code would require a SHA-1 collision. 2. Official GitHub recommendation from security docs: "Pin actions to a full-length commit SHA. Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release." 3. For actions/cache specifically, the repository recommends using the SHA of version v4.2.0 or later (e.g., v4.3.0 as of Sep 2025) for pinning, especially due to backend changes in v4.2.0. Examples from releases: v4.3.0 SHA is 0057852bfa..., v4.2.3 SHA is 5a3ec84... To find the exact full SHA for a tag: - Go to https://github.com/actions/cache/releases - Select the tag (e.g., v4.3.0) - Copy the full commit SHA from the release page or tag commit. Example pinned usage: uses: actions/cache@0057852 # v4.3.0 4. Additional practices: - Use tools like ratchet or pin-github-action to automate pinning and updates. - Enable organization/repository policies to enforce SHA pinning. - Use Dependabot to update pinned SHAs to newer secure versions. - Audit action source code and monitor for vulnerabilities via GitHub dependency graph. This mitigates risks from compromised actions, as seen in real incidents like TJ-Actions breach.

Citations:

• 1: https://github.com/actions/cache
• 2: https://stackoverflow.com/questions/78903499/how-do-i-pin-an-action-to-a-specific-sha
• 3: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
• 4: https://github.com/actions/cache/tree/v4
• 5: https://docs.github.com/en/actions/reference/security/secure-use
• 6: https://github.com/actions/cache/releases

---

🌐 Web query:

actions/cache@v4 GitHub commit hash what version

💡 Result:

The latest version under the actions/cache@v4 tag/branch is v4.3.0, released on 2025-09-24. Its commit hash is 0057852bfa (short SHA 0057852). This is the commit for the v4.3.0 tag, as shown on the releases page and mirrors. Official docs recommend pinning to v4.2.0 SHA for stability during migration, but v4.3.0 is the current latest for @v4. The v4 branch points to this latest state with 671 commits as of recent data.

Citations:

• 1: https://github.com/actions/cache/tree/v4
• 2: https://github.com/actions/cache/blob/main/RELEASES.md
• 3: https://git.d.aiengines.ir/actions/cache/src/tag/v4
• 4: actions/cache@0400d5f
• 5: https://github.com/actions/cache/releases
• 6: https://newreleases.io/project/github/actions/cache/release/v4.3.0

---

Pin actions/cache to a commit SHA.

Using actions/cache@v4 relies on a mutable tag. GitHub's official security guidance recommends pinning actions to a full-length commit SHA to prevent supply chain attacks where a compromised maintainer could update the tag to malicious code. The current latest version is v4.3.0 (commit 0057852bfa1d2a6c5884b8e6588e233eb3b10a0d). Update to:

uses: actions/cache@0057852bfa1d2a6c5884b8e6588e233eb3b10a0d # v4.3.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml at line 35, The workflow currently uses a mutable
tag "actions/cache@v4"; update the step that references actions/cache to pin it
to the full commit SHA (0057852bfa1d2a6c5884b8e6588e233eb3b10a0d) so it becomes
actions/cache@<sha> (i.e., use the specific commit for the uses: entry) to avoid
relying on a mutable tag; locate the uses: actions/cache@v4 line in the CI
workflow and replace the tag with the provided SHA.