chore(security): harden dependency supply chain and add security policy#138
chore(security): harden dependency supply chain and add security policy#138nikosxenakis wants to merge 4 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Hardens dependency supply-chain posture by adding a security policy, tightening dependency resolutions via pnpm overrides, and updating a dependency to pull in a patched transitive.
Changes:
- Added
SECURITY.mdwith vulnerability reporting guidance. - Added pnpm config/overrides to pin/select safer transitive dependency versions and allow only specific build-time deps.
- Added a “minimum release age” quarantine setting and bumped
tinyglobbyto^0.2.16.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| pnpm-workspace.yaml | Adds a minimumReleaseAge setting alongside existing overrides. |
| package.json | Bumps tinyglobby and introduces pnpm config with overrides and onlyBuiltDependencies. |
| SECURITY.md | Introduces a repository security policy and reporting instructions. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pnpm-workspace.yaml
Outdated
|
|
||
| minimumReleaseAge: 10080 # ignore dependency updates released less than 7 days ago |
There was a problem hiding this comment.
minimumReleaseAge is not a pnpm workspace manifest key (and is commonly a Renovate setting), so pnpm will likely ignore it here. If the goal is Renovate’s 7-day quarantine, move this into the Renovate configuration (e.g., renovate.json). If the goal is pnpm behavior, place it in the correct pnpm config location supported by your pnpm version (typically root package.json under pnpm or .npmrc).
| minimumReleaseAge: 10080 # ignore dependency updates released less than 7 days ago |
| "axios": ">=1.15.0", | ||
| "lodash": ">=4.18.0", | ||
| "tar": ">=7.5.11", | ||
| "minimatch": ">=10.2.5", | ||
| "ajv": ">=8.18.0" |
There was a problem hiding this comment.
Overrides for axios, ajv, and minimatch now exist in both pnpm-workspace.yaml and package.json with different minimum versions. This duplication/conflict makes it unclear which constraint is authoritative and can lead to unexpected resolution changes. Consider consolidating overrides into a single source of truth (preferably package.json under pnpm.overrides if that’s the intended standard) and removing or updating the other location to match exactly.
| "axios": ">=1.15.0", | |
| "lodash": ">=4.18.0", | |
| "tar": ">=7.5.11", | |
| "minimatch": ">=10.2.5", | |
| "ajv": ">=8.18.0" | |
| "lodash": ">=4.18.0", | |
| "tar": ">=7.5.11" |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "pnpm": { | ||
| "overrides": { | ||
| "axios": ">=1.15.0", | ||
| "lodash": ">=4.18.0", | ||
| "tar": ">=7.5.11", | ||
| "minimatch": ">=10.2.5", | ||
| "ajv": ">=8.18.0" | ||
| } | ||
| } |
There was a problem hiding this comment.
The PR description says these overrides “pin” vulnerable transitive deps, but the overrides are expressed as minimum ranges (>=). If the intent is truly to pin (ensure a single known-safe version), use exact versions. If the intent is “enforce minimum safe versions,” consider updating the PR description accordingly (and optionally add a short note on why minimum ranges are preferred here).
Summary
Closes SDK-2664
SECURITY.mdpnpm.overridesto pin vulnerable transitive deps to safenversionsminimumReleaseAge: 10080(7-day quarantine)tinyglobbyto^0.2.16(pulls inpicomatch 4.0.4)