Skip to content

[codex] migrate to pnpm security defaults#14

Open
svarlamov wants to merge 1 commit into
mainfrom
codex/pnpm-strict-security-20260606
Open

[codex] migrate to pnpm security defaults#14
svarlamov wants to merge 1 commit into
mainfrom
codex/pnpm-strict-security-20260606

Conversation

@svarlamov

@svarlamov svarlamov commented Jun 6, 2026

Copy link
Copy Markdown
Member

Summary

  • add a private pnpm 11.5.2 root manifest and lockfile for future Node helper work
  • add strict pnpm supply-chain security policy: one-week minimum package age, strict lockfile policy checks, trust downgrade protection, exotic dependency blocking, strict peer/engine checks, and build-script blocking by default
  • add node_modules ignore and remove stale npm wording from helper-script comments

Why

This gives the self-hosted repo the same pnpm-only supply-chain guardrails as the application repos before future Node helpers gain dependencies, preventing npm/yarn fallback and unreviewed install behavior.

Validation

  • pnpm install --frozen-lockfile
  • PATH=/tmp/codex-helm-bin:$PATH ./helm/scripts/test-render.sh
  • docker compose -f docker-compose.yml config --format json
  • SQL_API_USER=analytics SQL_API_PASSWORD=super-secret docker compose -f docker-compose.yml --profile sql-api config --format json

@svarlamov svarlamov marked this pull request as ready for review June 6, 2026 16:21
@svarlamov svarlamov force-pushed the codex/pnpm-strict-security-20260606 branch from ea78802 to 96e4bbb Compare June 8, 2026 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@svarlamov