Harden supply chain security#260
Conversation
|
@codex review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
| autoInstallPeers: false | ||
| blockExoticSubdeps: true | ||
| minimumReleaseAge: 4320 | ||
| minimumReleaseAge: 10080 |
There was a problem hiding this comment.
To improve readability and maintainability, consider adding a comment to explain that 10080 minutes is equivalent to 7 days. This context will be helpful for future developers who might not be aware of this conversion.
# Wait 7 days (7 * 24 * 60 = 10080 minutes) before using a new package release.
minimumReleaseAge: 10080![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1672956663
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Audit production dependencies | ||
| run: pnpm audit --prod --audit-level=high |
There was a problem hiding this comment.
pnpm audit is documented to check vulnerabilities in installed packages, but this new audit job runs on a fresh GitHub runner and never executes pnpm install. In this workflow, that means the audit can run without a realized dependency tree and may miss vulnerable transitive packages, producing a false sense of coverage. Add an install step (for example pnpm install --frozen-lockfile) before invoking audit so the scan reflects the actual dependency graph.
Useful? React with 👍 / 👎.
1 participant
Need help on this PR? Tag
@codesmithwith what you need.