Skip to content

Supply chain improvements#34

Merged
dgreif merged 1 commit into
mainfrom
supply-chain-improvements
Jun 3, 2026
Merged

Supply chain improvements#34
dgreif merged 1 commit into
mainfrom
supply-chain-improvements

Conversation

@dgreif
Copy link
Copy Markdown
Contributor

@dgreif dgreif commented Jun 3, 2026

Summary

  • Added project .npmrc with min-release-age=3.
  • Updated CI and publish workflows to Node 26 where applicable.
  • Updated actions/checkout to v6.0.3 and actions/setup-node to v6.4.0, pinned to full commit SHAs.
  • Updated Vitest/browser testing to 4.1.8 with the Vitest 4 Playwright provider package and config.
  • Updated Playwright to 1.60.0 and refreshed npm audit-related dev dependencies.

Ecosystems detected

  • npm package with GitHub Actions CI and npm publish workflow.

Recommendations applied

  • Kept CI installs on npm ci.
  • Kept npm publishing on OIDC/provenance (id-token: write and npm publish --provenance).
  • Ran npm audit fix and resolved reported vulnerabilities.

Not applied

  • No Node version requirement was added to package.json.
  • No Node version files were added.

Human review notes

  • Confirm npm trusted publishing is configured for this repository and release workflow before publishing.
  • npm 11.6.0 currently warns that min-release-age is an unknown project config while still preserving the requested .npmrc setting.

Validation

  • npm install
  • npm ci
  • npm run build --if-present
  • npm test
  • npm audit --audit-level=moderate

@dgreif
Supply chain improvements
8a8be89 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@dgreif dgreif marked this pull request as ready for review June 3, 2026 17:27
@dgreif dgreif requested a review from a team as a code owner June 3, 2026 17:27
Copilot AI review requested due to automatic review settings June 3, 2026 17:27
Copilot AI reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to improve the project’s supply-chain posture and modernize the CI/testing toolchain for the npm package by adding an npm release-age cooldown setting, upgrading CI Node versions, and updating the Vitest/Playwright browser testing stack.

Changes:

  • Added a project .npmrc to configure npm’s minimum release age gate.
  • Updated GitHub Actions workflows to use Node 26 and pinned actions/checkout / actions/setup-node to full commit SHAs.
  • Upgraded Vitest browser testing to Vitest 4 with the Playwright provider package and updated Playwright/dev dependencies accordingly.
Show a summary per file
File Description
vitest.config.ts Switches Vitest browser provider configuration to the Vitest 4 Playwright provider API.
package.json Updates Vitest/Playwright and related dev dependencies (including new @vitest/browser-playwright).
.npmrc Introduces npm min-release-age configuration intended to reduce exposure to newly-published packages.
.github/workflows/publish.yml Pins actions to SHAs and moves publish workflow to Node 26.
.github/workflows/node.js.yml Updates CI matrix to 24.x/26.x and pins actions to SHAs.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/6 changed files
  • Comments generated: 1

Comment thread .npmrc
@@ -0,0 +1 @@
min-release-age=3
@dgreif dgreif merged commit 867a741 into main Jun 3, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@manuelpuyol manuelpuyol manuelpuyol approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dgreif @manuelpuyol