Skip to content

chore(deps): pin package.json versions to lockfile-resolved#486

Closed
jefr90 wants to merge 3 commits into
mainfrom
chore/pin-package-versions-main
Closed

chore(deps): pin package.json versions to lockfile-resolved#486
jefr90 wants to merge 3 commits into
mainfrom
chore/pin-package-versions-main

Conversation

@jefr90

@jefr90 jefr90 commented May 28, 2026

Copy link
Copy Markdown
Contributor

Blocked by #530. Regenerate the pins after the dependency refresh merges.

Summary

Pin every entry in dependencies and devDependencies of every package.json in this repo to the exact version currently resolved by pnpm-lock.yaml. Goal: a fresh install without a lockfile cannot drift onto newer minors/patches, closing the malicious-patch-publishing supply-chain vector.

What was pinned

Workspace deps devDeps notes
./ (root) (n/a) hard-pinned (18)
packages/cli hard-pinned (4) hard-pinned (2, @types/node already exact)
packages/sdk hard-pinned (9) hard-pinned (6, @types/node already exact) runtime deps pinned for max security
packages/demo/backend hard-pinned (10) hard-pinned (3, @types/node already exact) peerDependencies untouched
packages/demo/frontend hard-pinned (17, @dynamic-labs/* already exact) hard-pinned (19)
packages/demo/contracts hard-pinned (1) hard-pinned (1)

Left alone (per the task rules): workspace:* links, peerDependencies (pino and pino-pretty in backend; all >= ranges in SDK as library contract), engines, root's pnpm.overrides and pnpm.peerDependencyRules (already provide transitive hardening), file/git/URL specifiers.

Lockfile

Ran pnpm install --lockfile-only to refresh specifier strings, then pnpm install --frozen-lockfile to verify. Both clean.

Diff breakdown:

  • 170 specifier: lines updated (intended pinning).
  • 26 stale duplicate package entries removed by pnpm install --lockfile-only cleanup: rollup@4.53.3 platform binaries (4.60.1 still present), postcss@8.5.9 (8.4.49 and 8.5.6 still present), tinyglobby@0.2.15 (0.2.16 still present), @mixpanel/rrweb-utils@2.0.0-alpha.18.2 (2.0.0-alpha.18.4 still present). No actively-used versions moved; integrity-line diffs are removals only (26 removed, 0 added).

Notable decisions

  • SDK runtime dependencies hard-pinned. Chose security over duplicate-install risk for downstream consumers. If a consumer hard-pins viem (or another shared dep) to a different version, pnpm may install both copies; consumers using ^ ranges dedupe to ours.
  • SDK peerDependencies kept as >= ranges. Library API contract; consumers must supply compatible majors of @dynamic-labs/*, @privy-io/*, @turnkey/*.
  • pnpm.overrides left intact (viem: 2.33.0, zod@3.22.4: 3.25.76, all @dynamic-labs/*: 4.31.4, nx>axios: ^1.12.0). Already provides repo-wide transitive hardening on critical packages; out of scope for the "package.json entries" task.

Out of scope / follow-ups

  • pino / pino-pretty in backend peerDependencies left untouched. With autoInstallPeers: true, these install like deps but can drift on no-lockfile installs.
  • pnpm.overrides[nx>axios]: ^1.12.0 is still a range; could be hardened later.
  • Pre-existing peer-dep mismatches surfaced during install (e.g., abitype vs zod 4, @aave/contract-helpers vs reflect-metadata 0.2.2, permissionless@0.2.57 vs ox@^0.8.0, Solana program peer ranges). Not caused by this PR.

Test plan

  • pnpm install --lockfile-only clean
  • pnpm install --frozen-lockfile clean
  • Lockfile diff confirmed: specifier updates plus stale-duplicate cleanup; no added packages, no integrity additions
  • CI passes (typecheck, lint, build, tests across workspaces)

Pin every entry in dependencies and devDependencies across every
package.json in the repo to the exact version pnpm-lock.yaml had
resolved. Closes the no-lockfile drift / malicious-patch supply-chain
vector.

- Root + workspaces (cli, sdk, backend, frontend, contracts):
  hard-pinned across deps and devDeps.
- SDK runtime deps: hard-pinned for max security; peerDependencies
  intentionally kept as ">=" ranges (library contract).
- Left alone: workspace:*, peerDependencies, engines, pnpm.overrides,
  pnpm.peerDependencyRules, file:/link:/git+/URL specifiers.

Lockfile diff: 170 specifier strings updated. pnpm install
--lockfile-only also cleaned up 26 stale duplicate entries (rollup
4.53.3 platform binaries, postcss 8.5.9, tinyglobby 0.2.15, mixpanel
rrweb-utils 2.0.0-alpha.18.2) where a sibling version was already
present. No actively-used versions moved; integrity-line changes are
removals only (26 removed, 0 added). pnpm install --frozen-lockfile
clean.
@jefr90 jefr90 requested review from a team as code owners May 28, 2026 16:25
@jefr90 jefr90 requested a review from lucasmoore May 28, 2026 16:25
@netlify

netlify Bot commented May 28, 2026

Copy link
Copy Markdown

Deploy Preview for actions-ui ready!

Name Link
🔨 Latest commit 88c07e2
🔍 Latest deploy log https://app.netlify.com/projects/actions-ui/deploys/6a504ad949321100081ae339
😎 Deploy Preview https://deploy-preview-486--actions-ui.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@its-everdred its-everdred left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OpenSSF's npm guidance contradicts the intention of this PR for our published SDK by recommending supported dependency ranges for libraries. pnpm-lock.yaml already pins exact versions and integrity hashes, which I believe was this PR's original intention anyway. We should keep ranges for packages/sdk runtime dependencies so consumers can adopt compatible security fixes and avoid duplicate installations, and limit exact manifest pins to private workspaces.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants