Merge pull request #187 from yumechi/claude/npm-ignore-scripts-security-Ct9Ol

Author: yumechi

.github/workflows/blog-analytics.yml

@@ -33,7 +33,7 @@ jobs:
 
       - name: Install dependencies
         working-directory: tools/blog-analytics
-        run: uv sync
+        run: uv sync --frozen
 
       - name: Create output directory
         run: mkdir -p output

.github/workflows/deploy-test.yml

@@ -20,6 +20,6 @@ jobs:
           cache: 'pnpm'
 
       - name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
       - name: Test build website
         run: pnpm build

.github/workflows/deploy.yml

@@ -23,7 +23,7 @@ jobs:
           cache: 'pnpm'
 
       - name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
       - name: Build website
         run: pnpm build
 

.npmrc

@@ -0,0 +1 @@
+ignore-scripts=true

pnpm-workspace.yaml

@@ -1,3 +1,5 @@
+minimumReleaseAge: 10080 # 7 days
+
 overrides:
   js-yaml@<3.14.2: '>=3.14.2'
   js-yaml@>=4.0.0 <4.1.1: '>=4.1.1'

renovate.json

@@ -0,0 +1,5 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "minimumReleaseAge": "7 days"
+}

tools/blog-analytics/pyproject.toml

@@ -17,3 +17,4 @@ dev = [
 
 [tool.uv]
 package = false
+exclude-newer = "1 week"