Skip to content

Improve pnpm security#2314

Merged
lkostrowski merged 7 commits intomainfrom
update-pnpm-security
Apr 2, 2026
Merged

Improve pnpm security#2314
lkostrowski merged 7 commits intomainfrom
update-pnpm-security

Conversation

@witoszekdev
Copy link
Copy Markdown
Member

@witoszekdev witoszekdev commented Apr 1, 2026
edited
Loading

  • Updated minimum release age to 21 days (same as saleor/saleor-dashboard)
  • Pinned all packages in package.json
  • Added frozen-lockfile, so that pnpm install cannot update transitive dependencies
  • Added settings for always saving exact version when installing packages
  • Added setting to ignore "downgrades" after release is older than 30 days (happens for patches in old major versions where provenance was missing)

@witoszekdev witoszekdev requested a review from a team as a code owner April 1, 2026 14:05
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 1, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 4efec1c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
saleor-app-avatax Ready Ready Preview, Comment Apr 2, 2026 5:13am
8 Skipped Deployments
Project Deployment Actions Updated (UTC)
saleor-app-cms Skipped Skipped Comment Apr 2, 2026 5:13am
saleor-app-klaviyo Skipped Skipped Apr 2, 2026 5:13am
saleor-app-payment-np-atobarai Skipped Skipped Comment Apr 2, 2026 5:13am
saleor-app-payment-stripe Skipped Skipped Apr 2, 2026 5:13am
saleor-app-products-feed Skipped Skipped Comment Apr 2, 2026 5:13am
saleor-app-search Skipped Skipped Comment Apr 2, 2026 5:13am
saleor-app-segment Skipped Skipped Comment Apr 2, 2026 5:13am
saleor-app-smtp Skipped Skipped Comment Apr 2, 2026 5:13am

Request Review

@witoszekdev witoszekdev requested a review from NyanKiyoshi April 1, 2026 14:07
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 1, 2026

Differences Found

✅ No packages or licenses were added.

Summary

Expand
License Name Package Count Packages
0BSD 1
Packages
  • tslib
CC BY-SA 4.0 1
Packages
  • @cspell/dict-en-common-misspellings
CC0-1.0 1
Packages
  • type-fest
MIT (http://mootools.net/license.txt) 1
Packages
  • slick
MIT/X11 1
Packages
  • nub
Public Domain 1
Packages
  • jsonify
Python-2.0 1
Packages
  • argparse
SEE LICENSE IN LICENSE 1
Packages
  • spawndamnit
SEE LICENSE IN LICENSE.md 1
Packages
  • lightcookie
Unlicense 1
Packages
  • @sinonjs/text-encoding
WTFPL 1
Packages
  • opener
BlueOak-1.0.0 3
Packages
  • jackspeak
  • package-json-from-dist
  • path-scurry
CC-BY-4.0 3
Packages
  • @saleor/macaw-ui
  • caniuse-lite
  • saleor-apps
LGPL-3.0-or-later 11
Packages
  • @img/sharp-libvips-darwin-arm64
  • @img/sharp-libvips-darwin-x64
  • @img/sharp-libvips-linux-arm
  • @img/sharp-libvips-linux-arm64
  • @img/sharp-libvips-linux-s390x
  • @img/sharp-libvips-linux-x64
  • @img/sharp-libvips-linuxmusl-arm64
  • @img/sharp-libvips-linuxmusl-x64
  • @img/sharp-wasm32
  • @img/sharp-win32-ia32
  • @img/sharp-win32-x64
BSD-2-Clause 22
Packages
  • cheerio-select
  • css-select
  • css-what
  • domelementtype
  • domhandler
  • domutils
  • dotenv
  • entities
  • escodegen
  • eslint-scope
  • espree
  • esprima
  • esrecurse
  • estraverse
  • esutils
  • glob-to-regexp
  • nth-check
  • shimmer
  • terser
  • uglify-js
  • And 2 more...
<<missing>> 27
Packages
  • @saleor/app-problems
  • @saleor/apps-domain
  • @saleor/apps-logger
  • @saleor/apps-otel
  • @saleor/apps-shared
  • @saleor/apps-trpc
  • @saleor/apps-ui
  • @saleor/dynamo-config-repository
  • @saleor/errors
  • @saleor/eslint-config-apps
  • @saleor/handlebars
  • @saleor/react-hook-form-macaw
  • @saleor/sentry-utils
  • @saleor/typescript-config-apps
  • @saleor/webhook-utils
  • busboy
  • json-query
  • saleor-app-avatax
  • saleor-app-cms
  • saleor-app-klaviyo
  • And 7 more...
BSD-3-Clause 48
Packages
  • @protobufjs/aspromise
  • @protobufjs/base64
  • @protobufjs/codegen
  • @protobufjs/eventemitter
  • @protobufjs/fetch
  • @protobufjs/float
  • @protobufjs/inquire
  • @protobufjs/path
  • @protobufjs/pool
  • @protobufjs/utf8
  • @saleor/app-sdk
  • @saleor/eslint-plugin-saleor-app
  • @sentry/cli
  • @sentry/cli-darwin
  • @sentry/cli-linux-arm
  • @sentry/cli-linux-arm64
  • @sentry/cli-linux-i686
  • @sentry/cli-linux-x64
  • @sentry/cli-win32-i686
  • @sentry/cli-win32-x64
  • And 28 more...
ISC 55
Packages
  • @bundled-es-modules/cookie
  • @bundled-es-modules/statuses
  • @bundled-es-modules/tough-cookie
  • @isaacs/cliui
  • abbrev
  • anymatch
  • boolbase
  • cli-width
  • cliui
  • concat-with-sourcemaps
  • electron-to-chromium
  • fastq
  • flatted
  • foreground-child
  • form-data-lite
  • fs.realpath
  • get-caller-file
  • glob
  • glob-parent
  • graceful-fs
  • And 35 more...
Apache-2.0 237
Packages
  • @ampproject/remapping
  • @aws-crypto/crc32
  • @aws-crypto/crc32c
  • @aws-crypto/ie11-detection
  • @aws-crypto/sha1-browser
  • @aws-crypto/sha256-browser
  • @aws-crypto/sha256-js
  • @aws-crypto/supports-web-crypto
  • @aws-crypto/util
  • @aws-sdk/abort-controller
  • @aws-sdk/chunked-blob-reader
  • @aws-sdk/client-dynamodb
  • @aws-sdk/client-s3
  • @aws-sdk/client-sso
  • @aws-sdk/client-sso-oidc
  • @aws-sdk/client-sts
  • @aws-sdk/config-resolver
  • @aws-sdk/core
  • @aws-sdk/credential-provider-env
  • @aws-sdk/credential-provider-http
  • And 217 more...
MIT 1410
Packages
  • @0no-co/graphql.web
  • @adobe/css-tools
  • @algolia/cache-browser-local-storage
  • @algolia/cache-common
  • @algolia/cache-in-memory
  • @algolia/client-account
  • @algolia/client-analytics
  • @algolia/client-common
  • @algolia/client-personalization
  • @algolia/client-search
  • @algolia/logger-common
  • @algolia/logger-console
  • @algolia/recommend
  • @algolia/requester-browser-xhr
  • @algolia/requester-common
  • @algolia/requester-node-http
  • @algolia/transporter
  • @apidevtools/json-schema-ref-parser
  • @ardatan/relay-compiler
  • @ardatan/sync-fetch
  • And 1390 more...

Copilot AI reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens dependency supply-chain security for the monorepo by tightening pnpm’s install policies (release-age + trust policy) and enforcing exact dependency pinning across workspace packages/apps.

Changes:

  • Increase minimumReleaseAge to 21 days with explicit exclusions (including a CVE-related handlebars pin).
  • Configure pnpm trust policy (no-downgrade) with a 30-day ignore-after window and enable exact-version saving.
  • Convert multiple package.json dependency ranges from ^x.y.z to exact x.y.z and update the lockfile accordingly.

Reviewed changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pnpm-workspace.yaml Tightens pnpm install policies (minimum release age, trust policy) and enforces exact version saving.
pnpm-lock.yaml Refreshes lockfile to reflect exact specifiers/pinning and resulting resolution graph changes.
package.json Pins root devDependency @changesets/cli to an exact version.
.npmrc Removes trust-policy-ignore-after from npmrc now that the policy is configured in workspace settings.
packages/handlebars/package.json Pins handlebars and related types to exact versions.
apps/smtp/package.json Pins multiple dependencies and type packages to exact versions (including handlebars, nodemailer).
apps/search/package.json Pins clsx, debug, and react-helmet to exact versions.
apps/products-feed/package.json Pins AWS SDK + fast-xml-parser + handlebars related deps to exact versions.
apps/klaviyo/package.json Pins node-fetch, react-helmet, and build-tool deps to exact versions.
apps/cms/package.json Pins @types/qs to an exact version.
apps/avatax/package.json Pins runtime and dev dependencies (e.g., avatax, jotai, faker, pactum) to exact versions.
apps/avatax/bruno/package.json Pins @faker-js/faker and normalizes package.json metadata ordering.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 1, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 37.30%. Comparing base (c981371) to head (4efec1c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2314   +/-   ##
=======================================
  Coverage   37.30%   37.30%           
=======================================
  Files        1018     1018           
  Lines       65972    65972           
  Branches     3402     3401    -1     
=======================================
  Hits        24608    24608           
  Misses      40988    40988           
  Partials      376      376
Flag Coverage Δ
avatax 57.39% <ø> (ø)
cms 18.67% <ø> (ø)
domain 100.00% <ø> (ø)
dynamo-config-repository 79.29% <ø> (ø)
errors 91.66% <ø> (ø)
logger 28.81% <ø> (ø)
np-atobarai 72.61% <ø> (ø)
products-feed 5.91% <ø> (ø)
search 30.74% <ø> (ø)
segment 32.38% <ø> (ø)
shared 37.35% <ø> (ø)
smtp 35.53% <ø> (ø)
stripe 71.09% <ø> (ø)
webhook-utils 11.02% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@witoszekdev witoszekdev added the skip changeset Attach this label to PRs which does not need changes description for the release notes. label Apr 1, 2026
NyanKiyoshi
NyanKiyoshi previously approved these changes Apr 1, 2026
View reviewed changes
@lkostrowski @NyanKiyoshi
Apply suggestion from @NyanKiyoshi
4efec1c 
Co-authored-by: Mikail <6186720+NyanKiyoshi@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 2, 2026 05:11
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 12 out of 13 changed files in this pull request and generated 2 comments.

Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

README.md

### Installing new packages

This has following requirements for improved supply chain security:
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor grammar: "This has following requirements" is missing an article (e.g., "This has the following requirements") and reads a bit awkward in the README section.

Suggested change
This has following requirements for improved supply chain security:
This has the following requirements for improved supply chain security:

Copilot uses AI. Check for mistakes.
README.md
- Packages must be older than 21 days
- Added packages must use exact version (no `^` or `~`)
- Packages versions cannot have a downgraded provenance security
- All installs are using froze lockfile to prevent unintended changes in transitive dependencies, to update packages anyway, you must use: `pnpm install --no-frozen-lockfile`
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: "froze lockfile" should be "frozen lockfile".

Suggested change
- All installs are using froze lockfile to prevent unintended changes in transitive dependencies, to update packages anyway, you must use: `pnpm install --no-frozen-lockfile`
- All installs are using frozen lockfile to prevent unintended changes in transitive dependencies, to update packages anyway, you must use: `pnpm install --no-frozen-lockfile`

Copilot uses AI. Check for mistakes.
@lkostrowski lkostrowski merged commit c1e68cd into main Apr 2, 2026
60 checks passed
@lkostrowski lkostrowski deleted the update-pnpm-security branch April 2, 2026 05:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lkostrowski lkostrowski lkostrowski approved these changes

@NyanKiyoshi NyanKiyoshi NyanKiyoshi left review comments

@peelar peelar Awaiting requested review from peelar peelar is a code owner automatically assigned from saleor/js

Assignees

@witoszekdev witoszekdev

Labels

App: AvaTax App: CMS App: Klaviyo App: Product Feed App: Search App: SMTP skip changeset Attach this label to PRs which does not need changes description for the release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@witoszekdev @NyanKiyoshi @lkostrowski