Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .changeset/wizard-anthropic-sdk-security-pin.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
"@cipherstash/wizard": patch
---

Add `@anthropic-ai/sdk` `^0.106.0` as a direct dependency so the
auto-installed peer of `@anthropic-ai/claude-agent-sdk` resolves to a release
patched against GHSA-p7fg-763f-g4gf, instead of the vulnerable 0.81.0 the
peer range alone would select. The wizard never imports the SDK directly —
this is a peer-resolution pin only; no behaviour change.
38 changes: 38 additions & 0 deletions e2e/tests/supply-chain.e2e.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,44 @@ describe('supply chain — pnpm configuration', () => {
expect(Array.isArray(allow)).toBe(true)
expect(allow.length).toBeLessThanOrEqual(3)
})

it('minimumReleaseAgeExclude contains only first-party packages', () => {
// The cooldown exclusion list exists for first-party packages that ship
// on their own release cadence. Third-party security fixes must use the
// one-off bypass (`pnpm install --config.minimum-release-age=0` with an
// exact pin) instead — a name-scoped exclusion exempts every future
// release of the package. See SKILL.md "Bypass the install cooldown".
const ws = readYaml('pnpm-workspace.yaml') as {
minimumReleaseAgeExclude?: string[]
}
const FIRST_PARTY = [/^@prisma-next\//, /^@cipherstash\//]
for (const entry of ws.minimumReleaseAgeExclude ?? []) {
expect(
FIRST_PARTY.some((re) => re.test(entry)),
`"${entry}" is not a first-party cooldown exclusion`,
).toBe(true)
}
})

it('security overrides stay range-scoped and remain a small allowlist (≤12 entries)', () => {
// Every override must be scoped to the advisory's vulnerable range
// (`pkg@<range>`), never a blanket `pkg` pin — a blanket pin silently
// rewrites versions outside the vulnerable range forever. The count cap
// mirrors onlyBuiltDependencies: growth forces a conscious review.
const ws = readYaml('pnpm-workspace.yaml') as {
overrides?: Record<string, string>
}
const selectors = Object.keys(ws.overrides ?? {})
expect(selectors.length).toBeLessThanOrEqual(12)
for (const selector of selectors) {
// A version-scoped selector has an `@` after the package name
// (position > 0 handles `@scope/pkg@range`).
expect(
selector.lastIndexOf('@') > 0,
`override "${selector}" is not scoped to a version range`,
).toBe(true)
}
})
})

describe('supply chain — registry pinning (.npmrc)', () => {
Expand Down
75 changes: 1 addition & 74 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -18,26 +18,6 @@
"url": "git+https://github.com/cipherstash/protectjs.git"
},
"license": "MIT",
"workspaces": {
"packages": [
"packages/*",
"examples/*"
],
"catalogs": {
"repo": {
"@cipherstash/auth": "0.40.0",
"tsup": "8.4.0",
"tsx": "4.19.3",
"typescript": "5.6.3",
"vitest": "3.1.3"
},
"security": {
"@clerk/nextjs": "6.39.2",
"next": "15.5.10",
"vite": "6.4.1"
}
}
},
"scripts": {
"build": "turbo build --filter './packages/*'",
"build:js": "turbo build --filter './packages/protect' --filter './packages/nextjs'",
Expand All @@ -58,7 +38,7 @@
"@biomejs/biome": "^2.4.15",
"@changesets/cli": "^2.31.0",
"@types/node": "^22.19.19",
"js-yaml": "^4.1.1",
"js-yaml": "^4.2.0",
Comment thread
coderabbitai[bot] marked this conversation as resolved.
"rimraf": "^6.1.3",
"turbo": "2.9.14",
"vitest": "catalog:repo"
Expand All @@ -82,58 +62,5 @@
"onlyBuiltDependencies": [
"node-pty"
]
},
"overrides": {
"@babel/runtime": "7.26.10",
"brace-expansion@^5": ">=5.0.5",
"body-parser": "2.2.1",
"vite": "catalog:security",
"pg": "^8.16.3",
"postgres": "^3.4.7",
"js-yaml": "4.1.1",
"test-exclude": "^7.0.1",
"glob": ">=11.1.0",
"qs": ">=6.14.1",
"lodash": ">=4.18.0",
"minimatch": ">=10.2.3",
"@isaacs/brace-expansion": ">=5.0.1",
"fast-xml-parser": ">=5.3.4",
"next": ">=15.5.15",
"ajv": ">=8.18.0",
"esbuild@<=0.24.2": ">=0.25.0",
"picomatch@^4": ">=4.0.4",
"picomatch@^2": ">=2.3.2",
"rollup@>=4.0.0 <4.59.0": ">=4.59.0",
"drizzle-orm": ">=0.45.2",
"postcss": ">=8.5.10",
"hono": ">=4.12.14",
"@hono/node-server": ">=1.19.13",
"@prisma-next/adapter-postgres": "0.6.0-dev.8",
"@prisma-next/cli": "0.6.0-dev.8",
"@prisma-next/config": "0.6.0-dev.8",
"@prisma-next/contract": "0.6.0-dev.8",
"@prisma-next/contract-authoring": "0.6.0-dev.8",
"@prisma-next/driver-postgres": "0.6.0-dev.8",
"@prisma-next/emitter": "0.6.0-dev.8",
"@prisma-next/errors": "0.6.0-dev.8",
"@prisma-next/family-sql": "0.6.0-dev.8",
"@prisma-next/framework-components": "0.6.0-dev.8",
"@prisma-next/ids": "0.6.0-dev.8",
"@prisma-next/migration-tools": "0.6.0-dev.8",
"@prisma-next/operations": "0.6.0-dev.8",
"@prisma-next/psl-parser": "0.6.0-dev.8",
"@prisma-next/psl-printer": "0.6.0-dev.8",
"@prisma-next/sql-contract": "0.6.0-dev.8",
"@prisma-next/sql-contract-emitter": "0.6.0-dev.8",
"@prisma-next/sql-contract-psl": "0.6.0-dev.8",
"@prisma-next/sql-contract-ts": "0.6.0-dev.8",
"@prisma-next/sql-errors": "0.6.0-dev.8",
"@prisma-next/sql-operations": "0.6.0-dev.8",
"@prisma-next/sql-relational-core": "0.6.0-dev.8",
"@prisma-next/sql-runtime": "0.6.0-dev.8",
"@prisma-next/sql-schema-ir": "0.6.0-dev.8",
"@prisma-next/target-postgres": "0.6.0-dev.8",
"@prisma-next/ts-render": "0.6.0-dev.8",
"@prisma-next/utils": "0.6.0-dev.8"
}
}
1 change: 1 addition & 0 deletions packages/nextjs/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
"devDependencies": {
"@clerk/nextjs": "catalog:security",
"dotenv": "^17.4.2",
"next": "catalog:security",
"tsup": "catalog:repo",
"typescript": "catalog:repo",
"vitest": "catalog:repo"
Expand Down
1 change: 1 addition & 0 deletions packages/wizard/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
},
"dependencies": {
"@anthropic-ai/claude-agent-sdk": "^0.3.143",
"@anthropic-ai/sdk": "^0.106.0",
"@cipherstash/auth": "catalog:repo",
Comment thread
coderdan marked this conversation as resolved.
"@clack/prompts": "1.4.0",
"dotenv": "17.4.2",
Expand Down
Loading
Loading