Skip to content

feat(supply-chain): upgrade pnpm to 11, workspace updates, deps and a…#1018

Merged
tylermorrisford merged 1 commit into
mainfrom
FEC-963-supply-chain
Jul 8, 2026
Merged

feat(supply-chain): upgrade pnpm to 11, workspace updates, deps and a…#1018
tylermorrisford merged 1 commit into
mainfrom
FEC-963-supply-chain

Conversation

@tylermorrisford

@tylermorrisford tylermorrisford commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

FEC-963 Supply Chain Hardening

Pilot supply chain hardening for this repo as part of FEC-964. Applies the full set of hardening measures described in the epic.

Changes

pnpm v11 upgrade

Bumped packageManager from pnpm@10.25.0 to pnpm@11.10.0. pnpm v11 ships with supply chain protections built-in that back the settings below.

Supply chain settings in pnpm-workspace.yaml

Added explicit security configuration at the workspace level:

  • minimumReleaseAge: 1440 — new package versions must be at least 24 hours old before pnpm will install them, guarding against "package planting" attacks on freshly published versions.
  • minimumReleaseAgeExclude — bypasses the age check for all @commercetools/*, @commercetools-frontend/*, @commercetools-backend/*, and @commercetools-uikit/* packages so internal releases aren't gated.
  • blockExoticSubdeps: true — prevents installation of dependencies with unusual or non-standard resolution strategies.
  • allowBuilds — explicit map controlling which packages can run lifecycle scripts (postinstall/install) during pnpm install. See note below.

allowBuilds exceptions

Six packages declared lifecycle scripts and were surfaced by pnpm approve-builds after install. All six were set to false (blocked):

  • core-js and core-js-pure — their postinstall script only prints a donation/sponsor message; the packages function correctly without running it.
  • esbuild, @swc/core, sharp, and unrs-resolver — all four are native binary packages that distribute platform-specific builds via optional dependencies (@esbuild/darwin-arm64, @swc/core-darwin-arm64, @img/sharp-darwin-arm64, @unrs/resolver-*, etc.). pnpm resolves the correct optional dep during install, making their postinstall scripts redundant fallbacks for package managers that skip optionals.

Exact dependency pinning

Removed all ^ ranges from direct dependencies and replaced them with the exact versions already present in the lockfile. Affected packages:

  • Root package.json: @babel/core, @types/jest, babel-plugin-module-resolver, find-up, prettier-jest, tsc-files
  • standalone/package.json: @babel/runtime, @babel/runtime-corejs3, @commercetools-frontend/application-config, @commercetools-frontend/constants, @faker-js/faker, @types/lodash, lodash, omit-deep

generators/package.json was already fully pinned.

GitHub Actions pinned to commit SHAs

All action references in all three workflow files (main.yml, pull-request.yml, release.yml) are now pinned to full-length commit SHAs with trailing version comments, preventing tag-mutation attacks:

  • actions/checkoutdf4cb1c0...
  • pnpm/action-setup41ff7265...
  • actions/setup-node48b55a01...
  • tibdex/github-app-token3beb63f4...
  • changesets/actiona45c4d59...

Renovate config

No changes required — renovate.json on main already has the full shared-config structure with github>commercetools/renovate-config and the relevant library/platform presets.

@changeset-bot

changeset-bot Bot commented Jul 8, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 641a7aa

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@tylermorrisford tylermorrisford merged commit 13713e8 into main Jul 8, 2026
5 checks passed
@tylermorrisford tylermorrisford deleted the FEC-963-supply-chain branch July 8, 2026 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants