Upgrade to pnpm 11.1.1 and harden supply chain CI#31
Conversation
- Bump packageManager pnpm@10.27.0 -> pnpm@11.1.1 - Move pnpm.overrides from package.json to pnpm-workspace.yaml; pnpm 11 no longer reads the legacy "pnpm" field, which silently disabled all override rules including semver@6 -> >=7.7.4 - Bump minimumReleaseAge 1440 -> 10080 (24h -> 7d); delete .npmrc since pnpm 11 reads supply-chain settings from pnpm-workspace.yaml only - Add trustPolicyExclude for ua-parser-js@0.7.41 (pulled by expo-device; older 0.7.x line predates npm provenance and trips the v11 default trustPolicy: no-downgrade — not a supply-chain incident) - Add pnpm.overrides for @babel/plugin-transform-modules-systemjs >=7.29.4 (GHSA-fv7c-fp4j-7gwp, high) and ws@8 >=8.20.1 (GHSA-58qx-3vcg-4xpx, moderate); pin @react-native-community/netinfo manifest entry - Add audit job to CI running pnpm audit --prod as a release gate Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request focuses on hardening the supply chain by upgrading pnpm to version 11.1.1, increasing the minimum release age for new packages to 7 days, and centralizing dependency overrides within the workspace configuration. It also pins the version of @react-native-community/netinfo and updates several transitive dependencies like ws and @babel/plugin-transform-modules-systemjs. Review feedback highlights that several packages currently resolved in the lockfile, specifically @xmldom/xmldom, @ungap/structured-clone, and uuid, are deprecated or contain security vulnerabilities. It is recommended to add explicit overrides for these packages to ensure they are updated to secure, supported versions.
| '@babel/plugin-transform-modules-systemjs': '>=7.29.4' | ||
| '@react-native-community/cli': '>=17.0.1' | ||
| '@react-native-community/cli-server-api': '>=17.0.1' | ||
| '@xmldom/xmldom': '>=0.8.12' |
There was a problem hiding this comment.
The lockfile indicates that @xmldom/xmldom@0.9.9 is currently resolved, but this version is deprecated due to critical issues. Additionally, @ungap/structured-clone@1.3.0 is present in the lockfile and is deprecated due to a potential security vulnerability (CWE-502). It is recommended to update the @xmldom/xmldom override to '>=0.9.10' and add an override for @ungap/structured-clone to version '>=1.3.1' to ensure supply chain security.
'@ungap/structured-clone': '>=1.3.1'
'@xmldom/xmldom': '>=0.9.10'| 'semver@6': '>=7.7.4' | ||
| 'tar': '>=7.5.13' | ||
| 'undici': '>=6.24.1 <7' | ||
| 'ws@8': '>=8.20.1' |
There was a problem hiding this comment.
The lockfile shows uuid@7.0.3 is in use, which is marked as deprecated and no longer supported. Since this PR aims to harden the supply chain, consider adding an override to move to a supported version (e.g., uuid@11 for CommonJS or latest for ESM).
uuid: '>=11.0.0'
'ws@8': '>=8.20.1'- @xmldom/xmldom: '>=0.8.12' -> '>=0.9.10' (deprecated due to critical issues) - @ungap/structured-clone: add '>=1.3.1' (CWE-502) - uuid: add '>=11.0.0' (uuid@7.0.3 deprecated, no longer supported) All three are devDep-only transitives via expo. Resolved to @xmldom/xmldom@0.9.10, @ungap/structured-clone@1.3.1, uuid@14.0.0. Audit clean; build, lint, typecheck, 212 tests all pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- postcss '>=8.5.10' (GHSA-qx2v-qp2m-jg93, XSS via unescaped </style>) - brace-expansion@5 '>=5.0.6 <6' (GHSA-jxxr-4gwj-5jf2, large-range DoS; v1 and v2 lines were already overridden, but a v5.0.5 was slipping through via the typescript-eslint toolchain) Resolves all 6 open Dependabot advisories. 'pnpm audit' is now clean for both the full tree and --prod scope. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 participant
Need help on this PR? Tag
@codesmithwith what you need.