Improve pnpm security

.npmrc

@@ -1,8 +1,3 @@
 save-exact=true
 manage-package-manager-versions=true
-
-# Here in npmrc, because this flag looks like not working in pnpm-workspace
-# 86400 (minutes) is 60 days
-# Set, because old packages in npm do not have trust policy
-# Once time passes and packages are newer, we should remove this flag
-trust-policy-ignore-after=86400
+frozen-lockfile=true

README.md

@@ -85,6 +85,15 @@ pnpm dlx turbo login
 pnpm dlx turbo link
 ```
 
+### Installing new packages
+
+This has following requirements for improved supply chain security:
+
+- Packages must be older than 21 days
+- Added packages must use exact version (no `^` or `~`)
+- Packages versions cannot have a downgraded provenance security
+- All installs are using froze lockfile to prevent unintended changes in transitive dependencies, to update packages anyway, you must use: `pnpm install --no-frozen-lockfile`
+
 ## ADR
 
 This repository uses [architecture decision records](https://cognitect.com/blog/2011/11/15/documenting-architecture-decisions) to document architectural decisions. You can find them in the `adr` directory.

apps/avatax/bruno/package.json

@@ -2,14 +2,14 @@
   "name": "bruno",
   "version": "1.0.0",
   "description": "",
+  "keywords": [],
+  "license": "(BSD-3-Clause AND CC-BY-4.0)",
+  "author": "",
   "main": "index.js",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
   },
-  "keywords": [],
-  "author": "",
-  "license": "ISC",
   "dependencies": {
-    "@faker-js/faker": "^8.4.1"
+    "@faker-js/faker": "8.4.1"
   }
 }

apps/avatax/package.json

@@ -54,13 +54,13 @@
     "@trpc/react-query": "catalog:",
     "@trpc/server": "catalog:",
     "@vercel/otel": "catalog:",
-    "avatax": "^23.7.0",
+    "avatax": "23.7.0",
     "decimal.js-light": "catalog:",
     "dotenv": "catalog:",
     "dynamodb-toolbox": "catalog:",
     "graphql": "catalog:",
     "graphql-tag": "catalog:",
-    "jotai": "^2.4.2",
+    "jotai": "2.4.2",
     "jsdom": "catalog:",
     "modern-errors": "catalog:",
     "modern-errors-serialize": "catalog:",
@@ -75,9 +75,9 @@
     "zod": "catalog:"
   },
   "devDependencies": {
-    "@faker-js/faker": "^8.4.1",
+    "@faker-js/faker": "8.4.1",
     "@graphql-codegen/cli": "catalog:",
-    "@graphql-codegen/import-types-preset": "^3.0.0",
+    "@graphql-codegen/import-types-preset": "3.0.0",
     "@graphql-codegen/introspection": "catalog:",
     "@graphql-codegen/schema-ast": "4.0.2",
     "@graphql-codegen/typed-document-node": "catalog:",
@@ -101,8 +101,8 @@
     "eslint-plugin-n": "catalog:",
     "graphql-codegen-typescript-operation-types": "catalog:",
     "graphql-config": "5.0.3",
-    "pactum": "^3.6.0",
-    "pactum-matchers": "^1.1.6",
+    "pactum": "3.6.0",
+    "pactum-matchers": "1.1.6",
     "tsx": "catalog:",
     "typescript": "catalog:",
     "vite": "catalog:",

apps/cms/package.json

@@ -78,7 +78,7 @@
     "@graphql-typed-document-node/core": "catalog:",
     "@saleor/eslint-config-apps": "workspace:*",
     "@saleor/typescript-config-apps": "workspace:*",
-    "@types/qs": "^6.9.7",
+    "@types/qs": "6.9.7",
     "@types/react": "18.2.5",
     "@types/react-dom": "18.2.5",
     "@vitest/coverage-v8": "catalog:",

apps/klaviyo/package.json

@@ -40,10 +40,10 @@
     "graphql": "catalog:",
     "graphql-tag": "catalog:",
     "next": "catalog:",
-    "node-fetch": "^3.2.6",
+    "node-fetch": "3.2.6",
     "react": "catalog:",
     "react-dom": "catalog:",
-    "react-helmet": "^6.1.0",
+    "react-helmet": "6.1.0",
     "urql": "catalog:",
     "usehooks-ts": "catalog:",
     "vite": "catalog:",
@@ -63,15 +63,15 @@
     "@types/node": "catalog:",
     "@types/react": "18.2.5",
     "@types/react-dom": "18.2.5",
-    "autoprefixer": "^10.4.7",
-    "clean-publish": "^4.0.1",
+    "autoprefixer": "10.4.7",
+    "clean-publish": "4.0.1",
     "eslint": "catalog:",
     "eslint-plugin-n": "catalog:",
     "graphql-codegen-typescript-operation-types": "catalog:",
     "graphql-config": "5.0.3",
     "jsdom": "catalog:",
-    "postcss": "^8.4.14",
-    "pretty-quick": "^3.1.3",
+    "postcss": "8.4.14",
+    "pretty-quick": "3.1.3",
     "tsx": "catalog:",
     "typescript": "5.8.2"
   }

apps/products-feed/package.json

@@ -17,7 +17,7 @@
   },
   "dependencies": {
     "@aws-sdk/client-dynamodb": "catalog:",
-    "@aws-sdk/client-s3": "^3.332.0",
+    "@aws-sdk/client-s3": "3.332.0",
     "@aws-sdk/lib-dynamodb": "catalog:",
     "@aws-sdk/s3-request-presigner": "3.332.0",
     "@aws-sdk/util-dynamodb": "catalog:",
@@ -51,10 +51,10 @@
     "@vitejs/plugin-react": "catalog:",
     "dotenv": "catalog:",
     "dynamodb-toolbox": "catalog:",
-    "fast-xml-parser": "^4.0.15",
+    "fast-xml-parser": "4.0.15",
     "graphql": "catalog:",
     "graphql-tag": "catalog:",
-    "handlebars": "^4.7.9",
+    "handlebars": "4.7.9",
     "handlebars-helpers": "0.10.0",
     "jsdom": "catalog:",
     "neverthrow": "catalog:",
@@ -81,7 +81,7 @@
     "@saleor/typescript-config-apps": "workspace:*",
     "@testing-library/dom": "10.4.0",
     "@testing-library/react": "16.2.0",
-    "@types/handlebars-helpers": "^0.5.6",
+    "@types/handlebars-helpers": "0.5.6",
     "@types/react": "18.2.5",
     "@types/react-dom": "18.2.5",
     "@vitest/coverage-v8": "catalog:",

apps/search/package.json

@@ -49,16 +49,16 @@
     "@trpc/server": "catalog:",
     "@vercel/otel": "catalog:",
     "algoliasearch": "4.23.3",
-    "clsx": "^1.2.1",
-    "debug": "^4.3.4",
+    "clsx": "1.2.1",
+    "debug": "4.3.4",
     "dotenv": "catalog:",
     "dynamodb-toolbox": "catalog:",
     "graphql": "catalog:",
     "graphql-tag": "catalog:",
     "next": "catalog:",
     "react": "catalog:",
     "react-dom": "catalog:",
-    "react-helmet": "^6.1.0",
+    "react-helmet": "6.1.0",
     "react-hook-form": "catalog:",
     "urql": "catalog:",
     "zod": "catalog:"

apps/smtp/package.json

@@ -25,7 +25,7 @@
     "@aws-sdk/lib-dynamodb": "catalog:",
     "@aws-sdk/util-dynamodb": "catalog:",
     "@hookform/resolvers": "catalog:",
-    "@monaco-editor/react": "^4.4.6",
+    "@monaco-editor/react": "4.4.6",
     "@opentelemetry/api": "catalog:",
     "@opentelemetry/api-logs": "catalog:",
     "@opentelemetry/instrumentation": "catalog:",
@@ -57,16 +57,16 @@
     "dynamodb-toolbox": "catalog:",
     "graphql": "catalog:",
     "graphql-tag": "catalog:",
-    "handlebars": "^4.7.9",
+    "handlebars": "4.7.9",
     "handlebars-helpers": "0.10.0",
-    "html-to-text": "^9.0.3",
+    "html-to-text": "9.0.3",
     "jsdom": "catalog:",
     "mjml": "4.15.3",
     "modern-errors": "catalog:",
     "modern-errors-serialize": "catalog:",
     "neverthrow": "catalog:",
     "next": "catalog:",
-    "nodemailer": "^6.9.1",
+    "nodemailer": "6.9.1",
     "react": "catalog:",
     "react-dom": "catalog:",
     "react-hook-form": "catalog:",
@@ -87,10 +87,10 @@
     "@graphql-typed-document-node/core": "catalog:",
     "@saleor/eslint-config-apps": "workspace:*",
     "@saleor/typescript-config-apps": "workspace:*",
-    "@types/handlebars-helpers": "^0.5.6",
-    "@types/html-to-text": "^9.0.0",
+    "@types/handlebars-helpers": "0.5.6",
+    "@types/html-to-text": "9.0.0",
     "@types/mjml": "4.7.4",
-    "@types/nodemailer": "^6.4.7",
+    "@types/nodemailer": "6.4.7",
     "@types/react": "18.2.5",
     "@types/react-dom": "18.2.5",
     "@vitest/coverage-v8": "catalog:",

package.json

@@ -31,7 +31,7 @@
     }
   },
   "devDependencies": {
-    "@changesets/cli": "^2.30.0",
+    "@changesets/cli": "2.30.0",
     "@cspell/cspell-types": "8.17.5",
     "@saleor/app-sdk": "catalog:",
     "cspell": "8.17.5",

packages/handlebars/package.json

@@ -16,10 +16,10 @@
   "devDependencies": {
     "@saleor/eslint-config-apps": "workspace:*",
     "@saleor/typescript-config-apps": "workspace:*",
-    "@types/handlebars-helpers": "^0.5.6",
+    "@types/handlebars-helpers": "0.5.6",
     "@vitest/coverage-v8": "catalog:",
     "eslint": "catalog:",
-    "handlebars": "^4.7.9",
+    "handlebars": "4.7.9",
     "handlebars-helpers": "0.10.0",
     "typescript": "catalog:",
     "vite": "catalog:",