Skip to content

chore: Shai hulud compliance #1478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
IzaacAyelin merged 63 commits into from
Jan 6, 2026
Merged

chore: Shai hulud compliance #1478

IzaacAyelin merged 63 commits into from
Jan 6, 2026

Conversation

@itaisinai
Copy link
Collaborator

@itaisinai itaisinai commented Dec 24, 2025
edited
Loading

Background

Wix employees need to work against Wix's internal NPM registry since the public registry is blocked on Wix network. To enable CI/CD and npm.js publishing for open-source projects in non-"wix-private" repositories, we need to comply with specific security requirements.

Summary

This PR implements the required security compliance (Shai Hulud) and migrates the project from npm to yarn to support the internal registry workflow.

Main Changes:

  1. Migrated from npm to yarn:

    • Removed package-lock.json and added yarn.lock
    • Added .yarnrc.yml configured to use npmRegistryServer: https://registry.npmjs.org
    • Added yarn 4.12.0 binary (.yarn/releases/yarn-4.12.0.cjs)
    • Updated all npm commands to yarn across all package.json files
    • Updated lerna.json to use yarn as npmClient
    • Added packageManager: "[email protected]" to root package.json

  2. Upgraded Node.js: Updated from 16.20.0 to 22.10.0 (updated .nvmrc and workflow files)

  3. Security compliance for CI/CD:

    • Pinned GitHub Actions to commit SHAs: Replaced @v4 tags with specific commit SHAs for actions/checkout and actions/setup-node to ensure reproducible and secure builds
    • Added npq for package installation: Replaced all yarn install commands with NPQ_PKG_MGR=yarn npx npq install to audit npm packages before installation

Files changed:

  • .github/workflows/node.yml - Updated all 4 jobs (lint, tests, deploy, update-playground)
  • .nvmrc - Updated Node version
  • .yarnrc.yml - Added yarn configuration with internal registry settings
  • yarn.lock - Added yarn lockfile
  • package-lock.json - Removed
  • package.json (root and all packages) - Updated scripts to use yarn
  • lerna.json - Configured to use yarn

@itaisinai itaisinai changed the base branch from master to V4_Final December 24, 2025 10:11
@itaisinai
Copy link
Collaborator Author

itaisinai commented Dec 28, 2025

#rebuild

1 similar comment
@itaisinai
Copy link
Collaborator Author

itaisinai commented Dec 29, 2025

#rebuild

@itaisinai itaisinai force-pushed the shai-hulud-compliance branch from e97d454 to 5a35a6c Compare December 30, 2025 16:22
@itaisinai itaisinai enabled auto-merge January 6, 2026 12:15
@itaisinai itaisinai closed this Jan 6, 2026
auto-merge was automatically disabled January 6, 2026 12:52

Pull request was closed

@itaisinai itaisinai reopened this Jan 6, 2026
@IzaacAyelin IzaacAyelin merged commit 4e4cc57 into V4_Final Jan 6, 2026
7 checks passed
@IzaacAyelin IzaacAyelin deleted the shai-hulud-compliance branch January 6, 2026 13:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IzaacAyelin IzaacAyelin IzaacAyelin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@itaisinai @IzaacAyelin