chore(deps): pin package.json versions to lockfile-resolved#486
Closed
jefr90 wants to merge 3 commits into
Closed
Conversation
Pin every entry in dependencies and devDependencies across every package.json in the repo to the exact version pnpm-lock.yaml had resolved. Closes the no-lockfile drift / malicious-patch supply-chain vector. - Root + workspaces (cli, sdk, backend, frontend, contracts): hard-pinned across deps and devDeps. - SDK runtime deps: hard-pinned for max security; peerDependencies intentionally kept as ">=" ranges (library contract). - Left alone: workspace:*, peerDependencies, engines, pnpm.overrides, pnpm.peerDependencyRules, file:/link:/git+/URL specifiers. Lockfile diff: 170 specifier strings updated. pnpm install --lockfile-only also cleaned up 26 stale duplicate entries (rollup 4.53.3 platform binaries, postcss 8.5.9, tinyglobby 0.2.15, mixpanel rrweb-utils 2.0.0-alpha.18.2) where a sibling version was already present. No actively-used versions moved; integrity-line changes are removals only (26 removed, 0 added). pnpm install --frozen-lockfile clean.
✅ Deploy Preview for actions-ui ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
4 tasks
Collaborator
There was a problem hiding this comment.
OpenSSF's npm guidance contradicts the intention of this PR for our published SDK by recommending supported dependency ranges for libraries. pnpm-lock.yaml already pins exact versions and integrity hashes, which I believe was this PR's original intention anyway. We should keep ranges for packages/sdk runtime dependencies so consumers can adopt compatible security fixes and avoid duplicate installations, and limit exact manifest pins to private workspaces.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pin every entry in
dependenciesanddevDependenciesof everypackage.jsonin this repo to the exact version currently resolved bypnpm-lock.yaml. Goal: a fresh install without a lockfile cannot drift onto newer minors/patches, closing the malicious-patch-publishing supply-chain vector.What was pinned
./(root)packages/cli@types/nodealready exact)packages/sdk@types/nodealready exact)packages/demo/backend@types/nodealready exact)peerDependenciesuntouchedpackages/demo/frontend@dynamic-labs/*already exact)packages/demo/contractsLeft alone (per the task rules):
workspace:*links,peerDependencies(pinoandpino-prettyin backend; all>=ranges in SDK as library contract),engines, root'spnpm.overridesandpnpm.peerDependencyRules(already provide transitive hardening), file/git/URL specifiers.Lockfile
Ran
pnpm install --lockfile-onlyto refresh specifier strings, thenpnpm install --frozen-lockfileto verify. Both clean.Diff breakdown:
specifier:lines updated (intended pinning).pnpm install --lockfile-onlycleanup:rollup@4.53.3platform binaries (4.60.1still present),postcss@8.5.9(8.4.49and8.5.6still present),tinyglobby@0.2.15(0.2.16still present),@mixpanel/rrweb-utils@2.0.0-alpha.18.2(2.0.0-alpha.18.4still present). No actively-used versions moved; integrity-line diffs are removals only (26 removed, 0 added).Notable decisions
dependencieshard-pinned. Chose security over duplicate-install risk for downstream consumers. If a consumer hard-pinsviem(or another shared dep) to a different version, pnpm may install both copies; consumers using^ranges dedupe to ours.peerDependencieskept as>=ranges. Library API contract; consumers must supply compatible majors of@dynamic-labs/*,@privy-io/*,@turnkey/*.pnpm.overridesleft intact (viem: 2.33.0,zod@3.22.4: 3.25.76, all@dynamic-labs/*: 4.31.4,nx>axios: ^1.12.0). Already provides repo-wide transitive hardening on critical packages; out of scope for the "package.json entries" task.Out of scope / follow-ups
pino/pino-prettyin backendpeerDependenciesleft untouched. WithautoInstallPeers: true, these install like deps but can drift on no-lockfile installs.pnpm.overrides[nx>axios]: ^1.12.0is still a range; could be hardened later.abitypevs zod 4,@aave/contract-helpersvsreflect-metadata0.2.2,permissionless@0.2.57vsox@^0.8.0, Solana program peer ranges). Not caused by this PR.Test plan
pnpm install --lockfile-onlycleanpnpm install --frozen-lockfileclean