Skip to content

chore(pnpm): mise à jour de pnpm#7193

Open
m-maillot wants to merge 1 commit intodevfrom
chore/update-pnpm
Open

chore(pnpm): mise à jour de pnpm#7193
m-maillot wants to merge 1 commit intodevfrom
chore/update-pnpm

Conversation

@m-maillot
Copy link
Copy Markdown
Contributor

@m-maillot m-maillot commented Mar 26, 2026

No description provided.

@m-maillot m-maillot requested a review from maxgfr March 26, 2026 14:43
@revu-bot revu-bot bot requested a review from revu-bot March 26, 2026 14:43
@m-maillot m-maillot temporarily deployed to build-preproduction March 26, 2026 14:43 — with GitHub Actions Inactive
revu-bot
revu-bot reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@revu-bot revu-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pnpm Update: 10.24.0 → 10.33.0

This PR updates the packageManager field in package.json to bump pnpm from 10.24.0 to 10.33.0 with an integrity hash.

File Lines Severity Issue Action
package.json 54 CRITICAL Integrity hash appears truncated Verify and replace with the correct full hash

Overall Assessment

The update is straightforward and follows the correct pattern of pinning both the version and an integrity hash via Corepack. However, the SHA-512 hash included in the packageManager field appears to be truncated, which is a correctness concern that could cause Corepack verification to fail or silently pass with a wrong hash.

revu-bot
revu-bot reviewed Mar 26, 2026
View reviewed changes
package.json
},
"version": "0.0.0",
"packageManager": "pnpm@10.24.0"
"packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
Copy link
Copy Markdown
Collaborator

@revu-bot revu-bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL] Integrity hash appears truncated

The SHA-512 hash appended to the packageManager field looks incomplete. A valid SHA-512 digest encoded in hex is 128 characters long; the one present here is only 126 characters:

10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319

Why it matters:

  • Corepack uses this hash to verify the downloaded pnpm binary. A truncated hash will either fail verification outright or — depending on the Corepack version — silently skip it, defeating the purpose of pinning the hash.
  • CI/CD pipelines relying on Corepack integrity checks could break or be bypassed.

How to get the correct value:
Run the following command locally and copy the output directly into package.json:

corepack use pnpm@10.33.0

Corepack will rewrite the packageManager field with the verified, full-length hash. Alternatively, check the official pnpm release page for the published SHA-512 checksum.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 26, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@tokenbureau
Copy link
Copy Markdown

tokenbureau bot commented Mar 26, 2026

🎉 Deployment for commit 778cb73 :

Ingresses
Docker images
  • 📦 docker pull harbor.fabrique.social.gouv.fr/cdtn/code-du-travail-numerique/app:sha-778cb739219d4f4c93691702067b3c48ae8dac87
Debug

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@revu-bot revu-bot revu-bot left review comments

@maxgfr maxgfr maxgfr approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@m-maillot @maxgfr @revu-bot