ci: block compromised npm packages with Socket Firewall Free#254
Merged
Conversation
Bump voidzero-dev/setup-vp to v1.12.0 and opt in to Socket Firewall Free via sfw: true on every job that installs dependencies. Using sfw wraps the package install so any known-malicious package version is blocked at download time and fails the install, adding a layer of protection against npm supply chain attacks. See https://docs.socket.dev/docs/socket-firewall-free. Built-in setup-vp support was added upstream in voidzero-dev/setup-vp#72. - ci.yml: convert the lint job's separate vp install step to the setup-vp run-install config, and add sfw: true to every dependency-installing job - autofix.yml, chromatic.yml: bump + sfw: true - chromatic.yml: drop the global pnpm install and pass buildCommand/outputDir to chromaui/action directly so it no longer needs to detect the package manager - release-tag.yml: install dependencies through setup-vp run-install with sfw - release-pr.yml: version bump only (no install step) Co-authored-by: Codesmith <codesmith-bot@users.noreply.github.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #254 +/- ##
=======================================
Coverage 68.54% 68.54%
=======================================
Files 122 122
Lines 2651 2651
Branches 572 572
=======================================
Hits 1817 1817
Misses 433 433
Partials 401 401
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Co-authored-by: Codesmith <codesmith-bot@users.noreply.github.com>
|
Want your agent to iterate on Greptile's feedback? Try greploops. |
RedStar071
added a commit
that referenced
this pull request
Jun 30, 2026
This PR will deploy the following changes to production (`wolfstar.rocks`). **Next version: `v0.8.0`** (current: `v0.7.4`) ### Features - feat(ui): add WolfStar logo mark to header with accessibility tests (#252) (`581a22bd`) - feat: bootstrap Storybook and Chromatic integration (#209) (`bd3107ea`) - feat(ui): add WolfStar logo mark to header (#251) (`df3d7a88`) - feat(auth): make session cookie name configurable per deployment (#250) (`3b408d0e`) - feat: add session refresh on app mount and document visibility (#248) (`fadf006b`) - feat(feedback): prefill dashboard feedback from OAuth email (#241) (`b4c9d067`) - feat(sentry): add Sentry user feedback with custom site design (#239) (`9478a08d`) - feat(discord): enhance manageable guild filtering and loading state handling (#236) (`13113c53`) - feat(dashboard): dashboard audit log system with slideover UI (#144) (`2e3b629d`) ### Fixes - fix(sentry): delete client source maps after upload to prevent public exposure (#243) (`1a6125e6`) - fix(ui): align feedback and scroll-to-top floating buttons (#240) (`8a06d1d0`) ### Other Changes - docs: restructure contributing guide and add zizmor dev tasks (#258) (`608a9a5d`) - test(a11y): consolidate app component accessibility audits into a11y.spec (#257) (`c13329b0`) - chore(deps): update Prisma to v7.8.0 and TypeScript to v6.0.3 (#256) (`cc62791e`) - chore(deps): update all non-major dependencies (#205) (`19cfb004`) - chore(deps): update devdependency @shelve/cli to v5 (#160) (`ead2b558`) - chore(deps): update devdependency @e18e/eslint-plugin to v0.5.0 (#207) (`6295e7e3`) - ci: block compromised npm packages with Socket Firewall Free (#254) (`342694dc`) - ci: migrate workflows to Blacksmith runners (#253) (`69264375`) - refactor: replace intersection observer with scroll-driven animations (#247) (`b015ab4e`) - chore: update skills skilld (#249) (`a69d33c9`) - chore(deps): update dependency vite-plus to v0.1.22 (#174) (`2662f244`) - chore(deps): update nuxt core (#196) (`182f3dec`) - chore(deps): update devdependency jsdom to v29 (#208) (`93e426bb`) - chore(docs): consolidate agent instructions and add design lint (#246) (`856192bf`) - chore(docs): update AGENTS.md to reflect recent changes (#245) (`b8d5a73f`) - chore(docs): update AGENTS.md to reflect recent changes (#242) (`03083f6e`) --- > Merging this PR will: > - Deploy to `wolfstar.rocks` via Netlify > - Create a `v0.8.0` tag and GitHub Release
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Replicates npmx-dev/npmx.dev#2889 on this codebase.
The npm ecosystem has been hit repeatedly by supply-chain attacks. Socket Firewall Free (
sfw) blocks known-malicious package versions at download time, failing the install before anything is written or any lifecycle/postinstall script runs. Socket typically flags these packages within ~5 minutes of publish, which covers the ~3-36 hour window before npm unpublishes them. It is free, with no licence, account, or attribution required.voidzero-dev/setup-vpgained built-in support for this in v1.12.0 (setup-vp#72), so opting in is justsfw: true.Changes
Bump
voidzero-dev/setup-vpfrom v1.10.0 to v1.12.0 across all workflows and enablesfw: trueon every job that installs dependencies.ci.yml: addsfw: truetounit,test,browser,benchmark,a11y,perf, andknip; convert thelintjob's separatevp install --filter . --ignore-scriptsstep into setup-vp'srun-installconfig so the install is guarded by sfw.autofix.yml: bump +sfw: true.chromatic.yml: bump +sfw: true; drop the globalvp install -g pnpmstep and passbuildCommand: vp run build-storybook/outputDir: storybook-statictochromaui/actiondirectly, so it no longer needs to detect the package manager (storybook-staticis already in.gitignore).release-tag.yml: install dependencies through setup-vp'srun-installwithsfw: trueinstead of a barevp install.release-pr.yml: version bump only (this workflow has no install step).Notes on differences from the source PR
The npmx PR also touched
deploy-canary.yml(addsSocketDev/action) andlunaria.yml, plus a.github/zizmor.ymlline-reference tied to lunaria. This repo has neither workflow, and our.github/zizmor.ymlhas nostale-action-refsentry, so those parts don't apply here.The pinned v1.12.0 SHA (
2dec1e33f4ab2c6d5bce1b0c4607961bb1a3f7a1) was verified against the upstreamv1.12.0tag. All edited workflow files were validated as parseable YAML.Need help on this PR? Tag
/codesmithwith what you need. Autofix is enabled.Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[Workflow trigger] --> B[actions/checkout] B --> C[voidzero-dev/setup-vp v1.12.0] C --> D{run-install?} D -->|false| E[Toolchain only\nNo packages installed] D -->|default / config| F[Activate sfw interceptor] F --> G[Run package install\nvp install with args] G --> H{Package flagged\nby Socket?} H -->|Yes - known malicious| I[❌ Install fails\nWorkflow blocked] H -->|No| J[✅ Packages installed\nWorkflow continues] E --> K[Downstream steps\ne.g. version/tag in release-tag.yml] K --> L[Second setup-vp call\nwith sfw:true] L --> F style I fill:#ff4444,color:#fff style J fill:#44bb44,color:#fff style F fill:#ff8800,color:#fff%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%% flowchart TD A[Workflow trigger] --> B[actions/checkout] B --> C[voidzero-dev/setup-vp v1.12.0] C --> D{run-install?} D -->|false| E[Toolchain only\nNo packages installed] D -->|default / config| F[Activate sfw interceptor] F --> G[Run package install\nvp install with args] G --> H{Package flagged\nby Socket?} H -->|Yes - known malicious| I[❌ Install fails\nWorkflow blocked] H -->|No| J[✅ Packages installed\nWorkflow continues] E --> K[Downstream steps\ne.g. version/tag in release-tag.yml] K --> L[Second setup-vp call\nwith sfw:true] L --> F style I fill:#ff4444,color:#fff style J fill:#44bb44,color:#fff style F fill:#ff8800,color:#fffReviews (2): Last reviewed commit: "ci: document two-step setup-vp pattern i..." | Re-trigger Greptile