Skip to content

ecto - chore: harden pnpm-workspace.yaml with supply chain controls#375

Merged
jaredwray merged 1 commit into
mainfrom
chore/pnpm-supply-chain
May 25, 2026
Merged

ecto - chore: harden pnpm-workspace.yaml with supply chain controls#375
jaredwray merged 1 commit into
mainfrom
chore/pnpm-supply-chain

Conversation

@jaredwray

Copy link
Copy Markdown
Owner

Summary

Apply agentic defense-in-depth Section 4 recommended baseline to pnpm-workspace.yaml.

Changes

  • minimumReleaseAge 288010080 (7 days, up from 2 days)
  • Added minimumReleaseAgeStrict: true — resolution fails instead of falling back to too-new versions
  • Added minimumReleaseAgeIgnoreMissingTime: false — missing publish-time metadata fails closed
  • Added blockExoticSubdeps: true — blocks exotic subdependency sources
  • Added strictDepBuilds: true — strict lifecycle script control
  • Added dangerouslyAllowAllBuilds: false — explicit denial of unchecked build scripts
  • Added trustPolicy: no-downgrade
  • Preserved existing allowBuilds entries (esbuild, unrs-resolver, @biomejs/biome, workerd)

Verification

  • pnpm install --frozen-lockfile passes
  • pnpm build passes
  • pnpm test passes (237 tests, 100% coverage)

Reference

defense-in-depth-nodejs.md § 4


Generated by Claude Code

Apply agentic defense-in-depth Section 4 recommended baseline:
- minimumReleaseAge 2880 → 10080 (7 days)
- minimumReleaseAgeStrict: true
- minimumReleaseAgeIgnoreMissingTime: false
- blockExoticSubdeps: true
- strictDepBuilds: true
- dangerouslyAllowAllBuilds: false
- trustPolicy: no-downgrade

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request attempts to add several supply chain security configuration options to pnpm-workspace.yaml. However, these fields are not supported or recognized by pnpm in this file, which could lead to parsing errors. It is recommended to use standard pnpm configuration fields in package.json instead.

Comment thread pnpm-workspace.yaml
@codecov

codecov Bot commented May 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (b688855) to head (89602d0).

Additional details and impacted files
@@            Coverage Diff            @@
##              main      #375   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            9         9           
  Lines          413       413           
  Branches        96        96           
=========================================
  Hits           413       413           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jaredwray jaredwray merged commit 3ec0044 into main May 25, 2026
11 checks passed
@jaredwray jaredwray deleted the chore/pnpm-supply-chain branch May 25, 2026 17:06
@jaredwray jaredwray mentioned this pull request May 25, 2026
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants