From 123c6a0eaa8391c0793aa1a9e49966ce53ea9b2b Mon Sep 17 00:00:00 2001
From: murderteeth <89237203+murderteeth@users.noreply.github.com>
Date: Thu, 14 May 2026 06:15:19 +0000
Subject: [PATCH] Supply-chain hardening sweep
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

2 PM config(s); pin 21 deps; freeze 2 install lines; pin 4 actions; vercel.json 1+0

🛡️ Automated
---
 .github/workflows/addressChecks.yml |  4 +--
 .github/workflows/documentation.yml |  4 +--
 .github/workflows/lint.yml          |  4 +--
 .npmrc                              |  1 +
 bun.lock                            | 42 ++++++++++++++---------------
 bunfig.toml                         |  5 ++++
 package.json                        | 42 ++++++++++++++---------------
 vercel.json                         |  3 +++
 8 files changed, 57 insertions(+), 48 deletions(-)
 create mode 100644 .npmrc
 create mode 100644 bunfig.toml
 create mode 100644 vercel.json

diff --git a/.github/workflows/addressChecks.yml b/.github/workflows/addressChecks.yml
index 0c2443402..8817cb74a 100644
--- a/.github/workflows/addressChecks.yml
+++ b/.github/workflows/addressChecks.yml
@@ -12,7 +12,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install Bun
         run: |
@@ -21,7 +21,7 @@ jobs:
 
       - name: Install dependencies and build
         run: |
-          bun install
+          bun install --frozen-lockfile
           bun run build
 
       - name: Run checks and update data
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index fa2398038..91dc44ce7 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -8,14 +8,14 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Install Bun
         run: |
           curl -fsSL https://bun.sh/install | bash
           echo "$HOME/.bun/bin" >> $GITHUB_PATH
       - name: Install dependencies and build
         run: |
-          bun install
+          bun install --frozen-lockfile
           bun run build
 
       - name: Check if PR is from a fork
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 0502ff740..1b40a69f1 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -12,7 +12,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         # with:
         #   # Make sure the actual branch is checked out when running on pull requests
         #   ref: ${{ github.head_ref }}
@@ -25,7 +25,7 @@ jobs:
       #     commit_message: "ci: run linter"
 
       - name: Check markdown links
-        uses: tcort/github-action-markdown-link-check@v1
+        uses: tcort/github-action-markdown-link-check@e7c7a18363c842693fadde5d41a3bd3573a7a225 # v1
         with:
           use-quiet-mode: "yes"
           check-modified-files-only: "yes"
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 000000000..cffe8cdef
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1 @@
+save-exact=true
diff --git a/bun.lock b/bun.lock
index 1375d5720..d77a8a618 100644
--- a/bun.lock
+++ b/bun.lock
@@ -5,35 +5,35 @@
     "": {
       "name": "yearn-devdocs",
       "dependencies": {
-        "@cmfcmf/docusaurus-search-local": "^2.0.1",
+        "@cmfcmf/docusaurus-search-local": "2.0.1",
         "@docusaurus/core": "3.9.2",
-        "@docusaurus/faster": "^3.9.2",
+        "@docusaurus/faster": "3.9.2",
         "@docusaurus/preset-classic": "3.9.2",
         "@docusaurus/theme-mermaid": "3.9.2",
-        "@mdx-js/react": "^3.1.1",
-        "@radix-ui/react-icons": "^1.3.2",
-        "@radix-ui/react-label": "^2.1.8",
-        "@radix-ui/react-select": "^2.2.6",
-        "@radix-ui/react-tabs": "^1.1.13",
-        "@radix-ui/react-tooltip": "^1.2.8",
+        "@mdx-js/react": "3.1.1",
+        "@radix-ui/react-icons": "1.3.2",
+        "@radix-ui/react-label": "2.1.8",
+        "@radix-ui/react-select": "2.2.6",
+        "@radix-ui/react-tabs": "1.1.13",
+        "@radix-ui/react-tooltip": "1.2.8",
         "clsx": "1.1.1",
-        "dotenv": "^16.6.1",
+        "dotenv": "16.6.1",
         "hast-util-is-element": "1.1.0",
-        "lucide-react": "^0.465.0",
-        "react": "^18.3.1",
-        "react-dom": "^18.3.1",
-        "recharts": "^2.15.4",
-        "rehype-katex": "^7.0.1",
-        "remark-math": "^6.0.0",
-        "solc": "^0.8.34",
-        "solidity-docgen": "^0.5.17",
-        "turndown": "^7.2.2",
-        "turndown-plugin-gfm": "^1.0.2",
-        "viem": "^2.46.3",
+        "lucide-react": "0.465.0",
+        "react": "18.3.1",
+        "react-dom": "18.3.1",
+        "recharts": "2.15.4",
+        "rehype-katex": "7.0.1",
+        "remark-math": "6.0.0",
+        "solc": "0.8.34",
+        "solidity-docgen": "0.5.17",
+        "turndown": "7.2.2",
+        "turndown-plugin-gfm": "1.0.2",
+        "viem": "2.46.3",
       },
       "devDependencies": {
         "@docusaurus/module-type-aliases": "3.9.2",
-        "@openzeppelin/contracts": "^4.9.6",
+        "@openzeppelin/contracts": "4.9.6",
         "@tsconfig/docusaurus": "1.0.2",
         "@types/react": "18.3.1",
         "@types/react-helmet": "6.1.1",
diff --git a/bunfig.toml b/bunfig.toml
new file mode 100644
index 000000000..7c23d3566
--- /dev/null
+++ b/bunfig.toml
@@ -0,0 +1,5 @@
+
+[install]
+minimumReleaseAge = 604800
+ignoreScripts = true
+exact = true
diff --git a/package.json b/package.json
index 34b019f7c..8f704f5c8 100644
--- a/package.json
+++ b/package.json
@@ -23,31 +23,31 @@
   },
   "packageManager": "bun@1.1.0",
   "dependencies": {
-    "@cmfcmf/docusaurus-search-local": "^2.0.1",
+    "@cmfcmf/docusaurus-search-local": "2.0.1",
     "@docusaurus/core": "3.9.2",
-    "@docusaurus/faster": "^3.9.2",
+    "@docusaurus/faster": "3.9.2",
     "@docusaurus/preset-classic": "3.9.2",
     "@docusaurus/theme-mermaid": "3.9.2",
-    "@mdx-js/react": "^3.1.1",
-    "@radix-ui/react-icons": "^1.3.2",
-    "@radix-ui/react-label": "^2.1.8",
-    "@radix-ui/react-select": "^2.2.6",
-    "@radix-ui/react-tabs": "^1.1.13",
-    "@radix-ui/react-tooltip": "^1.2.8",
+    "@mdx-js/react": "3.1.1",
+    "@radix-ui/react-icons": "1.3.2",
+    "@radix-ui/react-label": "2.1.8",
+    "@radix-ui/react-select": "2.2.6",
+    "@radix-ui/react-tabs": "1.1.13",
+    "@radix-ui/react-tooltip": "1.2.8",
     "clsx": "1.1.1",
-    "dotenv": "^16.6.1",
+    "dotenv": "16.6.1",
     "hast-util-is-element": "1.1.0",
-    "lucide-react": "^0.465.0",
-    "react": "^18.3.1",
-    "react-dom": "^18.3.1",
-    "recharts": "^2.15.4",
-    "rehype-katex": "^7.0.1",
-    "remark-math": "^6.0.0",
-    "solc": "^0.8.34",
-    "solidity-docgen": "^0.5.17",
-    "turndown": "^7.2.2",
-    "turndown-plugin-gfm": "^1.0.2",
-    "viem": "^2.46.3"
+    "lucide-react": "0.465.0",
+    "react": "18.3.1",
+    "react-dom": "18.3.1",
+    "recharts": "2.15.4",
+    "rehype-katex": "7.0.1",
+    "remark-math": "6.0.0",
+    "solc": "0.8.34",
+    "solidity-docgen": "0.5.17",
+    "turndown": "7.2.2",
+    "turndown-plugin-gfm": "1.0.2",
+    "viem": "2.46.3"
   },
   "browserslist": {
     "production": [
@@ -63,7 +63,7 @@
   },
   "devDependencies": {
     "@docusaurus/module-type-aliases": "3.9.2",
-    "@openzeppelin/contracts": "^4.9.6",
+    "@openzeppelin/contracts": "4.9.6",
     "@tsconfig/docusaurus": "1.0.2",
     "@types/react": "18.3.1",
     "@types/react-helmet": "6.1.1",
diff --git a/vercel.json b/vercel.json
new file mode 100644
index 000000000..9d8504c2f
--- /dev/null
+++ b/vercel.json
@@ -0,0 +1,3 @@
+{
+  "installCommand": "bun install --frozen-lockfile"
+}