Skip to content

feat(supply-chain): upgrade pnpm to 11, workspace updates, deps and a…#1017

Closed
tylermorrisford wants to merge 1 commit into
mainfrom
FEC-963-td-security
Closed

feat(supply-chain): upgrade pnpm to 11, workspace updates, deps and a…#1017
tylermorrisford wants to merge 1 commit into
mainfrom
FEC-963-td-security

Conversation

@tylermorrisford

@tylermorrisford tylermorrisford commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

FEC-963 Supply Chain Hardening

Pilot supply chain hardening for this repo as part of FEC-964. Applies the full set of hardening measures described in the epic.

Changes

pnpm v11 upgrade

Bumped packageManager from pnpm@10.18.2 to pnpm@11.10.0. pnpm v11 ships with supply chain protections built-in that back the settings below.

Supply chain settings in pnpm-workspace.yaml

Added explicit security configuration at the workspace level:

  • minimumReleaseAge: 1440 — new package versions must be at least 24 hours old before pnpm will install them, guarding against "package planting" attacks on freshly published versions.
  • minimumReleaseAgeExclude — bypasses the age check for all @commercetools/*, @commercetools-frontend/*, @commercetools-backend/*, and @commercetools-uikit/* packages so internal releases aren't gated.
  • blockExoticSubdeps: true — prevents installation of dependencies with unusual or non-standard resolution strategies.
  • allowBuilds — explicit allowlist controlling which packages can run lifecycle scripts (postinstall/install) during pnpm install. See note below.

allowBuilds exceptions

Three packages declared lifecycle scripts and were surfaced by pnpm approve-builds after the initial install. All three were set to false (blocked):

  • core-js and core-js-pure — their postinstall script only prints a donation/sponsor message; the packages function correctly without running it.
  • esbuild — since esbuild 0.17+, the platform-specific binary is delivered via optional dependencies (@esbuild/darwin-arm64, @esbuild/linux-x64, etc.), which pnpm already resolves. The postinstall script is only a fallback for package managers that skip optional deps; it is not needed here.

Exact dependency pinning

Removed all ^ ranges from direct dependencies and replaced them with the exact versions already present in the lockfile. Affected packages:

  • Root package.json: @babel/core, @types/jest, babel-plugin-module-resolver, find-up, prettier-jest, tsc-files
  • standalone/package.json: @babel/runtime, @babel/runtime-corejs3, @commercetools-frontend/application-config, @commercetools-frontend/constants, @faker-js/faker, @types/lodash, lodash, omit-deep

generators/package.json was already fully pinned.

GitHub Actions pinned to commit SHAs

All action references in all three workflow files (main.yml, pull-request.yml, release.yml) are now pinned to full-length commit SHAs with trailing version comments, preventing tag-mutation attacks:

  • actions/checkout93cb6efe...
  • pnpm/action-setup41ff7265...
  • actions/setup-node49933ea5...
  • tibdex/github-app-token3beb63f4...
  • changesets/actiona45c4d59...

Renovate config

Added "github>commercetools/renovate-config" as the first entry in renovate.json's extends array so this repo inherits the shared security presets introduced in FEC-962. Existing local rules are preserved.

@changeset-bot

changeset-bot Bot commented Jul 8, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 13c2af1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@orca-security-eu orca-security-eu Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Infrastructure as Code high 0   medium 0   low 0   info 0 View in Orca
Passed Passed SAST high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca
Failed Failed Vulnerabilities high 3   medium 1   low 0   info 0 View in Orca
☢️ The following Vulnerabilities (CVEs) have been detected
PACKAGE FILE CVE ID INSTALLED VERSION FIXED VERSION
critical form-data ./pnpm-lock.yaml CVE-2025-7783 4.0.2 2.5.4, 3.0.4, 4.0.4 View in code
high immutable ./pnpm-lock.yaml CVE-2026-29063 3.7.6 4.3.8, 5.1.5, 3.8.3 View in code
high rollup ./pnpm-lock.yaml CVE-2026-27606 2.79.2 2.80.0, 3.30.0, 4.59.0 View in code
high tmp ./pnpm-lock.yaml CVE-2026-44705 0.0.33 0.2.6 View in code

@tylermorrisford tylermorrisford requested review from a team, ByronDWall and valoriecarli July 8, 2026 18:16
@tylermorrisford

Copy link
Copy Markdown
Contributor Author

Closing this in favor of working with a clean and up-to-date branch, like a normal human being
👉 #1018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant