chore: pnpm hardening, catalog migration, and CI security#490
Merged
kelsos merged 4 commits intorotki:mainfrom Apr 7, 2026
Merged
chore: pnpm hardening, catalog migration, and CI security#490kelsos merged 4 commits intorotki:mainfrom
kelsos merged 4 commits intorotki:mainfrom
Conversation
Add supply chain hardening settings from rotki/rotki: strictDepBuilds, blockExoticSubdeps, minimumReleaseAge (7 days), trustPolicy no-downgrade, and selective allowBuilds. Migrate all dependency versions to pnpm catalog for single-source version management. Apply minor/patch updates from the dependency dashboard. Add Renovate grouping rules for monorepo packages.
- pnpm/action-setup v4 → v5 - actions/deploy-pages v4 → v5 - codecov/codecov-action v5 → v6
Pin all action references to immutable commit SHAs to prevent supply chain attacks via mutable tags. Add helpers:pinGitHubActionDigests preset in Renovate to keep SHAs updated automatically. Disable node cache in release workflow to prevent cache poisoning. Pin changelogithub to specific version. Move shamefullyHoist from .npmrc to pnpm-workspace.yaml. Work around @stylistic/spaced-comment false positive on YAML files (rotki/eslint-config#80) to allow SHA comments in workflow files.
Required by chokidar/storybook for file watching in CI.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #490 +/- ##
=======================================
Coverage 85.01% 85.01%
=======================================
Files 139 139
Lines 5024 5024
Branches 1509 1509
=======================================
Hits 4271 4271
Misses 753 753 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
strictDepBuilds,blockExoticSubdeps,minimumReleaseAge(7 days),trustPolicy: no-downgrade, selectiveallowBuilds, andchokidaroverride to v5catalog:for single-source version management across all workspace packages[email protected]helpers:pinGitHubActionDigestspreset and monorepo grouping rules (vitest, storybook, vue, commitlint, vueuse). Fixed tailwind-variants allowed version (0.x→3.x)shamefullyHoistfrom.npmrctopnpm-workspace.yaml, added ESLint workaround for@stylistic/spaced-commenton YAML files (@stylistic/spaced-comment not disabled for YAML files (only style/spaced-comment is) eslint-config#80)Test plan
pnpm installsucceeds cleanlypnpm run lintpasses (0 errors)pnpm run typecheckpassespnpm run test:runpasses (1012/1012 tests)