Skip to content

ci: block compromised npm packages with Socket Firewall Free#254

Merged
RedStar071 merged 2 commits into
mainfrom
ci/use-socket-firewall-free
Jun 28, 2026
Merged

ci: block compromised npm packages with Socket Firewall Free#254
RedStar071 merged 2 commits into
mainfrom
ci/use-socket-firewall-free

Conversation

@RedStar071

@RedStar071 RedStar071 commented Jun 28, 2026

Copy link
Copy Markdown
Member

Context

Replicates npmx-dev/npmx.dev#2889 on this codebase.

The npm ecosystem has been hit repeatedly by supply-chain attacks. Socket Firewall Free (sfw) blocks known-malicious package versions at download time, failing the install before anything is written or any lifecycle/postinstall script runs. Socket typically flags these packages within ~5 minutes of publish, which covers the ~3-36 hour window before npm unpublishes them. It is free, with no licence, account, or attribution required.

voidzero-dev/setup-vp gained built-in support for this in v1.12.0 (setup-vp#72), so opting in is just sfw: true.

Changes

Bump voidzero-dev/setup-vp from v1.10.0 to v1.12.0 across all workflows and enable sfw: true on every job that installs dependencies.

  • ci.yml: add sfw: true to unit, test, browser, benchmark, a11y, perf, and knip; convert the lint job's separate vp install --filter . --ignore-scripts step into setup-vp's run-install config so the install is guarded by sfw.
  • autofix.yml: bump + sfw: true.
  • chromatic.yml: bump + sfw: true; drop the global vp install -g pnpm step and pass buildCommand: vp run build-storybook / outputDir: storybook-static to chromaui/action directly, so it no longer needs to detect the package manager (storybook-static is already in .gitignore).
  • release-tag.yml: install dependencies through setup-vp's run-install with sfw: true instead of a bare vp install.
  • release-pr.yml: version bump only (this workflow has no install step).

Notes on differences from the source PR

The npmx PR also touched deploy-canary.yml (adds SocketDev/action) and lunaria.yml, plus a .github/zizmor.yml line-reference tied to lunaria. This repo has neither workflow, and our .github/zizmor.yml has no stale-action-refs entry, so those parts don't apply here.

The pinned v1.12.0 SHA (2dec1e33f4ab2c6d5bce1b0c4607961bb1a3f7a1) was verified against the upstream v1.12.0 tag. All edited workflow files were validated as parseable YAML.


View with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is enabled.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Workflow trigger] --> B[actions/checkout]
    B --> C[voidzero-dev/setup-vp v1.12.0]
    C --> D{run-install?}
    D -->|false| E[Toolchain only\nNo packages installed]
    D -->|default / config| F[Activate sfw interceptor]
    F --> G[Run package install\nvp install with args]
    G --> H{Package flagged\nby Socket?}
    H -->|Yes - known malicious| I[❌ Install fails\nWorkflow blocked]
    H -->|No| J[✅ Packages installed\nWorkflow continues]
    E --> K[Downstream steps\ne.g. version/tag in release-tag.yml]
    K --> L[Second setup-vp call\nwith sfw:true]
    L --> F

    style I fill:#ff4444,color:#fff
    style J fill:#44bb44,color:#fff
    style F fill:#ff8800,color:#fff
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[Workflow trigger] --> B[actions/checkout]
    B --> C[voidzero-dev/setup-vp v1.12.0]
    C --> D{run-install?}
    D -->|false| E[Toolchain only\nNo packages installed]
    D -->|default / config| F[Activate sfw interceptor]
    F --> G[Run package install\nvp install with args]
    G --> H{Package flagged\nby Socket?}
    H -->|Yes - known malicious| I[❌ Install fails\nWorkflow blocked]
    H -->|No| J[✅ Packages installed\nWorkflow continues]
    E --> K[Downstream steps\ne.g. version/tag in release-tag.yml]
    K --> L[Second setup-vp call\nwith sfw:true]
    L --> F

    style I fill:#ff4444,color:#fff
    style J fill:#44bb44,color:#fff
    style F fill:#ff8800,color:#fff
Loading

Reviews (2): Last reviewed commit: "ci: document two-step setup-vp pattern i..." | Re-trigger Greptile

Bump voidzero-dev/setup-vp to v1.12.0 and opt in to Socket Firewall Free
via sfw: true on every job that installs dependencies. Using sfw wraps the
package install so any known-malicious package version is blocked at download
time and fails the install, adding a layer of protection against npm supply
chain attacks.

See https://docs.socket.dev/docs/socket-firewall-free. Built-in setup-vp
support was added upstream in voidzero-dev/setup-vp#72.

- ci.yml: convert the lint job's separate vp install step to the setup-vp
  run-install config, and add sfw: true to every dependency-installing job
- autofix.yml, chromatic.yml: bump + sfw: true
- chromatic.yml: drop the global pnpm install and pass buildCommand/outputDir
  to chromaui/action directly so it no longer needs to detect the package
  manager
- release-tag.yml: install dependencies through setup-vp run-install with sfw
- release-pr.yml: version bump only (no install step)

Co-authored-by: Codesmith <codesmith-bot@users.noreply.github.com>
@codecov

codecov Bot commented Jun 28, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.54%. Comparing base (bd3107e) to head (f6ac8fb).
✅ All tests successful. No failed tests found.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #254   +/-   ##
=======================================
  Coverage   68.54%   68.54%           
=======================================
  Files         122      122           
  Lines        2651     2651           
  Branches      572      572           
=======================================
  Hits         1817     1817           
  Misses        433      433           
  Partials      401      401           
Flag Coverage Δ
component 57.74% <ø> (ø)
unit 68.66% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@codspeed-hq

codspeed-hq Bot commented Jun 28, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 44 untouched benchmarks


Comparing ci/use-socket-firewall-free (f6ac8fb) with main (bd3107e)

Open in CodSpeed

Comment thread .github/workflows/chromatic.yml
Comment thread .github/workflows/release-tag.yml
Co-authored-by: Codesmith <codesmith-bot@users.noreply.github.com>
@greptile-apps

greptile-apps Bot commented Jun 28, 2026

Copy link
Copy Markdown

Want your agent to iterate on Greptile's feedback? Try greploops.

@RedStar071
RedStar071 requested a review from lorypelli June 28, 2026 10:55
@RedStar071
RedStar071 merged commit 342694d into main Jun 28, 2026
24 checks passed
@RedStar071
RedStar071 deleted the ci/use-socket-firewall-free branch June 28, 2026 13:02
@github-actions github-actions Bot mentioned this pull request Jun 28, 2026

@lorypelli lorypelli left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

RedStar071 added a commit that referenced this pull request Jun 30, 2026
This PR will deploy the following changes to production
(`wolfstar.rocks`).

**Next version: `v0.8.0`** (current: `v0.7.4`)

### Features

- feat(ui): add WolfStar logo mark to header with accessibility tests
(#252) (`581a22bd`)
- feat: bootstrap Storybook and Chromatic integration (#209)
(`bd3107ea`)
- feat(ui): add WolfStar logo mark to header (#251) (`df3d7a88`)
- feat(auth): make session cookie name configurable per deployment
(#250) (`3b408d0e`)
- feat: add session refresh on app mount and document visibility (#248)
(`fadf006b`)
- feat(feedback): prefill dashboard feedback from OAuth email (#241)
(`b4c9d067`)
- feat(sentry): add Sentry user feedback with custom site design (#239)
(`9478a08d`)
- feat(discord): enhance manageable guild filtering and loading state
handling (#236) (`13113c53`)
- feat(dashboard): dashboard audit log system with slideover UI (#144)
(`2e3b629d`)

### Fixes

- fix(sentry): delete client source maps after upload to prevent public
exposure (#243) (`1a6125e6`)
- fix(ui): align feedback and scroll-to-top floating buttons (#240)
(`8a06d1d0`)

### Other Changes

- docs: restructure contributing guide and add zizmor dev tasks (#258)
(`608a9a5d`)
- test(a11y): consolidate app component accessibility audits into
a11y.spec (#257) (`c13329b0`)
- chore(deps): update Prisma to v7.8.0 and TypeScript to v6.0.3 (#256)
(`cc62791e`)
- chore(deps): update all non-major dependencies (#205) (`19cfb004`)
- chore(deps): update devdependency @shelve/cli to v5 (#160)
(`ead2b558`)
- chore(deps): update devdependency @e18e/eslint-plugin to v0.5.0 (#207)
(`6295e7e3`)
- ci: block compromised npm packages with Socket Firewall Free (#254)
(`342694dc`)
- ci: migrate workflows to Blacksmith runners (#253) (`69264375`)
- refactor: replace intersection observer with scroll-driven animations
(#247) (`b015ab4e`)
- chore: update skills skilld (#249) (`a69d33c9`)
- chore(deps): update dependency vite-plus to v0.1.22 (#174)
(`2662f244`)
- chore(deps): update nuxt core (#196) (`182f3dec`)
- chore(deps): update devdependency jsdom to v29 (#208) (`93e426bb`)
- chore(docs): consolidate agent instructions and add design lint (#246)
(`856192bf`)
- chore(docs): update AGENTS.md to reflect recent changes (#245)
(`b8d5a73f`)
- chore(docs): update AGENTS.md to reflect recent changes (#242)
(`03083f6e`)

---

> Merging this PR will:
> - Deploy to `wolfstar.rocks` via Netlify
> - Create a `v0.8.0` tag and GitHub Release
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants