chore(e2e): pin transitive deps to trusted-publisher floor (#8522)

Author: jacekradko

.changeset/pin-trusted-publisher-deps.md

@@ -0,0 +1,2 @@
+---
+---

integration/constants.ts

@@ -88,3 +88,18 @@ export const constants = {
   INTEGRATION_INSTANCE_KEYS: process.env.INTEGRATION_INSTANCE_KEYS,
   INTEGRATION_STAGING_INSTANCE_KEYS: process.env.INTEGRATION_STAGING_INSTANCE_KEYS,
 } as const;
+
+/**
+ * Floor versions of transitive deps that carry pnpm "trustedPublisher" evidence.
+ * Injected as `pnpm.overrides` into every fixture's tmp `package.json` so that
+ * isolated installs satisfy pnpm 10's trust-downgrade check. Sourced from the
+ * 2026-05-11 npm supply-chain incident response (mini Shai-Hulud worm).
+ * Update when upstream packages publish newer versions via OIDC trusted publisher.
+ */
+export const TRUSTED_OVERRIDES: Record<string, string> = {
+  'semver@<7.7.3': '7.7.4',
+  'chokidar@<5.0.0': '5.0.0',
+  'undici-types@<7.16.0': '7.24.8',
+  'tailwind-merge@<3.4.0': '3.4.0',
+  'vite@<7.1.3': '7.3.3',
+};

integration/models/applicationConfig.ts

@@ -2,7 +2,7 @@ import * as path from 'node:path';
 
 import type { AccountlessApplication } from '@clerk/backend';
 
-import { constants } from '../constants';
+import { constants, TRUSTED_OVERRIDES } from '../constants';
 import { PKGLAB } from '../presets/utils';
 import { createLogger, fs } from '../scripts';
 import { application } from './application';
@@ -125,13 +125,22 @@ export const applicationConfig = () => {
             ? []
             : [...dependencies.entries()].filter(([, version]) => version === PKGLAB).map(([name]) => [name, 'latest']),
         );
+      const packageJsonPath = path.resolve(appDirPath, 'package.json');
+      const contents = await fs.readJSON(packageJsonPath);
       if (npmDeps.length > 0) {
-        const packageJsonPath = path.resolve(appDirPath, 'package.json');
         logger.info(`Modifying dependencies in "${packageJsonPath}"`);
-        const contents = await fs.readJSON(packageJsonPath);
         contents.dependencies = { ...contents.dependencies, ...Object.fromEntries(npmDeps) };
-        await fs.writeJSON(packageJsonPath, contents, { spaces: 2 });
       }
+      // Pin transitives to versions with pnpm "trustedPublisher" evidence so the
+      // isolated tmp install passes pnpm 10's trust-downgrade check.
+      contents.pnpm = {
+        ...(contents.pnpm ?? {}),
+        overrides: {
+          ...(contents.pnpm?.overrides ?? {}),
+          ...TRUSTED_OVERRIDES,
+        },
+      };
+      await fs.writeJSON(packageJsonPath, contents, { spaces: 2 });
 
       return application(self, appDirPath, appDirName, serverUrl);
     },

package.json

@@ -161,10 +161,15 @@
       "msw"
     ],
     "overrides": {
+      "chokidar@<5.0.0": "5.0.0",
       "react": "catalog:react",
       "react-dom": "catalog:react",
       "rolldown": "catalog:repo",
-      "utf-8-validate": "5.0.10"
+      "semver@<7.7.3": "7.7.4",
+      "tailwind-merge@<3.4.0": "3.4.0",
+      "undici-types@<7.16.0": "7.24.8",
+      "utf-8-validate": "5.0.10",
+      "vite@<7.1.3": "7.3.3"
     }
   }
 }