fix: supply chain hardening and dep fixes (#341)

- Override protobufjs >=7.5.5, tar >=7.5.13, dompurify >=3.4.0
- Move protobufjs to ignoredBuiltDependencies
- Add --frozen-lockfile to CI install steps
- Refresh lockfile

Author: grandizzy

.github/workflows/verify.yml

@@ -39,7 +39,7 @@ jobs:
           cache-dependency-path: pnpm-lock.yaml
 
       - name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
 
       - name: Check
         run: pnpm run check
@@ -100,7 +100,7 @@ jobs:
           cache-dependency-path: pnpm-lock.yaml
 
       - name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
 
       - name: Run Playwright tests
         run: pnpm run test:e2e --shard=${{ matrix.shard }}/3

pnpm-lock.yaml

@@ -7,6 +7,8 @@ onlyBuiltDependencies:
   - core-js
   - es5-ext
   - esbuild
+
+ignoredBuiltDependencies:
   - protobufjs
 
 minimumReleaseAgeExclude:
@@ -16,6 +18,11 @@ minimumReleaseAgeExclude:
   - ox
   - viem
 
+overrides:
+  protobufjs: '>=7.5.5'
+  tar: '>=7.5.13'
+  dompurify: '>=3.4.0'
+
 patchedDependencies:
   '@braintree/sanitize-url@7.1.2': patches/@braintree__sanitize-url@7.1.2.patch
   dayjs@1.11.20: patches/dayjs@1.11.20.patch