Skip to content

Fix Semgrep policy findings#647

Merged
will-lamerton merged 1 commit into
Nano-Collective:mainfrom
Dhirenderchoudhary:fix/semgrep-policy-findings
Jul 9, 2026
Merged

Fix Semgrep policy findings#647
will-lamerton merged 1 commit into
Nano-Collective:mainfrom
Dhirenderchoudhary:fix/semgrep-policy-findings

Conversation

@Dhirenderchoudhary

Copy link
Copy Markdown
Contributor

Description

Fixes repo-wide Semgrep policy findings in CI and package-manager configuration.

This PR hardens the repository by:

  • pinning GitHub Actions to full commit SHAs instead of mutable tags like @v4
  • adding a 7-day Dependabot cooldown
  • adding npm and pnpm release-age delays
  • enabling pnpm trust and exotic subdependency protections

The 7-day values come directly from the Semgrep findings:

  • Dependabot: cooldown.default-days: 7
  • npm: min-release-age=7
  • pnpm: minimumReleaseAge: 10080

10080 minutes equals 7 days.

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

Testing

Automated Tests

  • New features include passing tests in .spec.ts/tsx files
  • All existing tests pass (pnpm test:all completes successfully)
  • Tests cover both success and error scenarios

Ran:

pnpm run test:security

Result:

Findings: 0 (0 blocking)
Ran 332 rules on 517 files: 0 findings.

Manual Testing

  • Tested with Ollama
  • Tested with OpenRouter
  • Tested with OpenAI-compatible API
  • Tested MCP integration (if applicable)

Manual provider/MCP testing is not applicable because this PR only changes CI and package-manager security policy configuration.

Checklist

  • Code follows project style guidelines
  • Self-review completed
  • Documentation updated (if needed)
  • No breaking changes (or clearly documented)
  • Appropriate logging added using structured logging (see CONTRIBUTING.md)

Structured logging is not applicable because this PR does not add runtime application code.

@Dhirenderchoudhary

Dhirenderchoudhary commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@will-lamerton I’ve opened a Semgrep hardening PR as discussed.

It addresses the repo-level findings by:

  • pinning GitHub Actions to full commit SHAs
  • adding Dependabot 7-day cooldown
  • adding npm/pnpm 7-day release-age delay
  • enabling pnpm blockExoticSubdeps and trustPolicy: no-downgrade

I verified it locally with:

pnpm run test:security

@Dhirenderchoudhary Dhirenderchoudhary marked this pull request as ready for review July 9, 2026 06:27
@will-lamerton will-lamerton merged commit e660f85 into Nano-Collective:main Jul 9, 2026
8 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants