chore(ui): add pnpm supply chain security protections

[pfe-nazaries]

Summary

• Add pnpm-workspace.yaml with layered supply chain protections
  per https://pnpm.io/supply-chain-security
• Bump pnpm from 10.24.0 to 10.33.0 (required for
  blockExoticSubdeps and trustPolicy)
• Fix CI workflows to read exact pnpm version from
  ui/package.json instead of floating version: 10

Supply chain protections added

Protection	Setting	What it does
Minimum release age	minimumReleaseAge: 1440	Blocks
packages published < 24h ago
Build script allow-list	onlyBuiltDependencies	Only 6
explicitly trusted packages may run postinstall scripts
Trust policy	trustPolicy: no-downgrade	Fails install if a
package's trust evidence degrades (e.g., account takeover)
Block exotic subdeps	blockExoticSubdeps: true	Prevents
transitive deps from using git/tarball URLs

CI fix

pnpm/action-setup was configured with version: 10, which
installs the latest 10.x ignoring the pinned version in
packageManager. Since package.json lives in ui/ (not repo
root), the action never found it. Now uses package_json_file: ui/package.json to read the exact SHA512-verified version.

Test plan

• Clean install (rm -rf node_modules && pnpm install) — no
  trust violations or exotic subdep issues
• All 6 allowed packages run build scripts successfully
• 123/123 unit tests pass
• Healthcheck (typecheck + ESLint) passes
• Production build succeeds
• CI workflows pass with package_json_file: ui/package.json

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

⚠️ Changes detected in the following folders without a corresponding update to the CHANGELOG.md:

• ui

Please add an entry to the corresponding CHANGELOG.md file to maintain a clear history of changes.

[github-actions]

🔒 Container Security Scan

Image: prowler-ui:5bbe45f
Last scan: 2026-03-27 10:01:12 UTC

✅ No Vulnerabilities Detected

The container image passed all security checks. No known CVEs were found.

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[alejandrobailo]

LGTM!

[jfagoagas]

[Alan-TheGentleman]

Clean, well-scoped security hardening. The layered approach (release age + build allowlist + trust policy + exotic subdep blocking) is solid, and pinning pnpm via packageManager + package_json_file in CI is the right fix — floating version: 10 was quietly defeating the SHA512 pin.

One thing worth a follow-up (not blocking): the onlyBuiltDependencies allowlist has @heroui/shared-utils and msw — both feel unusual for needing postinstall scripts. Worth confirming those are actually required, not just leftover from a previous audit.

Ship it.

[Alan-TheGentleman]

Quick question on the onlyBuiltDependencies allowlist: @heroui/shared-utils and msw look unusual at first glance. Do you know why those two need postinstall scripts?

[pfe-nazaries]

Quick question on the onlyBuiltDependencies allowlist: @heroui/shared-utils and msw look unusual at first glance. Do you know why those two need postinstall scripts?

Good point there. I will take a look at heroui (i think we can remove it). Msw is expected to be there

[pfe-nazaries]

Quick question on the onlyBuiltDependencies allowlist: @heroui/shared-utils and msw look unusual at first glance. Do you know why those two need postinstall scripts?

Apparently, HeroUI needs to inject different scripts depending on the React and Next.js version during build time. This is annoying from their side but necessary until we get rid of HeroUI

[Alan-TheGentleman]

Three things to fix before merge:

1. The builder stage doesn't use the pinned pnpm. corepack install runs in deps, but builder inherits from base — which after this PR only has corepack enable. So pnpm run build resolves pnpm from corepack's base shim, not the package.json pin. Version pinning breaks at the build stage.

2. onlyBuiltDependencies has entries that don't belong. msw isn't in dependencies or devDependencies — dead entry. For the transitive ones (@heroui/shared-utils, unrs-resolver, @sentry/cli), add a comment per entry explaining why it needs a build script. I verified @heroui/shared-utils is legit (detects React/Next version, copies demi bundles), but the others aren't obvious from the code alone.

3. No escape hatch for emergency patches. minimumReleaseAge: 1440 blocks packages published in the last 24h — including critical CVE patches. If a zero-day drops in next or react, the team can't install the fix until the next day. Add minimumReleaseAgeExclude with at least the most critical packages.