Harden supply chain security (#18)

yosriady · claude · web-flow · commit af227a12ce23 · 2026-05-20T14:44:03.000+07:00
* Harden supply chain security

* Sync lockfile specifier with pinned ethereum-cryptography

The dependency pin in package.json (^3.2.0 → 3.2.0) left the
lockfile specifier out of sync, which broke `pnpm install
--frozen-lockfile` in CI. The resolved version is unchanged
(3.2.0); only the specifier field is updated. A full `pnpm
install` would have been blocked by the 7d minimumReleaseAge
cooldown against a recently-bumped transitive, so the lockfile
is edited surgically.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -59,3 +59,22 @@ jobs:
 
       - name: Run tests
         run: pnpm test
+
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          version: 11.1.2
+
+      - name: Setup Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: "22.14.0"
+
+      - name: Audit production dependencies
+        run: pnpm audit --prod --audit-level=high
diff --git a/package.json b/package.json
@@ -26,7 +26,7 @@
     "lint": "tsc --noEmit"
   },
   "dependencies": {
-    "ethereum-cryptography": "^3.2.0"
+    "ethereum-cryptography": "3.2.0"
   },
   "devDependencies": {
     "@swc/core": "^1.3.102",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -8,9 +8,8 @@ packages:
   - '.'
 
 # Supply-chain cooldown: don't resolve dependency versions until they
-# are at least 2880 minutes (48h) old. pnpm 11's default is 1440 (24h);
-# this preserves the explicit 48h policy from PR #14.
-minimumReleaseAge: 2880
+# are at least 10080 minutes (7d) old. pnpm 11's default is 1440 (24h).
+minimumReleaseAge: 10080
 
 # Dependency build-script policy (pnpm 11 strictDepBuilds default).
 # Both packages ship prebuilt native bindings via platform-specific
