Conversation
β¦ons SHA pinning - Upgrade pnpm from 10.18.2 to 10.33.4 (package.json, mise.toml) - Enable pnpm 10 security features in pnpm-workspace.yaml: strictDepBuilds, allowBuilds, minimumReleaseAge (7 days), trustPolicy (no-downgrade), blockExoticSubdeps - Add save-prefix='' to .npmrc - Pin third-party GitHub Actions to commit SHAs: jdx/mise-action@v3, aws-actions/configure-aws-credentials@v4 - Add security-audit.yaml reusable workflow (pnpm audit) - Wire security audit into test pipeline
Author
π€ Devin AI EngineerI'll be helping with this pull request! Here's what you should know: β I will automatically:
Note: I can only respond to comments from users who have write access to this repository. βοΈ Control Options:
|
β¦rce in CI - Bump @trpc/server and @trpc/client 11.6.0 β 11.17.0 in catalog (CVE-2025-68130 / GHSA-43p4-m455-4f4j, prototype pollution in experimental_nextAppDirCaller) - Bump vite 7.1.9 β 7.3.2 in catalog (GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583 dev-server fs.deny bypass and WS arbitrary file read). 7.3.3 is <7d old, blocked by minimumReleaseAge: 10080. - Add pnpm.overrides for transitive vulns with no direct upgrade path: - fast-xml-parser β₯5.5.6 (CVE-2026-25128/-25896/-26278/-33036, via @aws-sdk/client-sfn β @aws-sdk/xml-builder) - picomatch β₯4.0.4 (ReDoS, transitive via vite/chokidar) - path-to-regexp β₯8.4.0 (DoS via sequential optional groups, transitive via express β router) - vite β₯7.3.2 (catalog bump alone left vitest's transitive vite at 7.3.1) - Remove `continue-on-error: true` from .github/workflows/security-audit.yaml so any future high/critical advisory blocks the build. workflow_call audit-level input remains so downstream consumers can configure their bar. Verification: - `pnpm audit --audit-level high` β 0 advisories - `pnpm run -r typecheck` β green - `pnpm run -r test` β green - `pnpm lint` β green Plan: docs/plans/2026-05-11-001-feat-enforce-pnpm-audit-and-fix-vulns-plan.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PavolJediny
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I have created this PR because
This applies supply chain security hardening to the purple-stack monorepo, following the patterns established in my-axiory PR #8946 and prop-tech-engine PR #1604.
A follow-up commit on this branch goes further than the source PRs: because this is a template repo with no legacy debt, we both (a) cleared every existing high/critical advisory and (b) flipped the audit job to fail on any new finding.
Changes
pnpm upgrade (10.18.2 β 10.33.4)
packageManagerinpackage.jsonandmise.tomlpnpm 10 security features (
pnpm-workspace.yaml)strictDepBuildstrueallowBuildsesbuild: true, telemetry scripts blockedminimumReleaseAge10080(7 days)minimumReleaseAgeExclude@purple/*,@package/*trustPolicyno-downgradeblockExoticSubdepstrueCI hardening
jdx/mise-action@v3,aws-actions/configure-aws-credentials@v4) β GitHub-owned actions (actions/*) left on version tags per conventionsave-prefix=''to.npmrc(complements existingsave-exact=true)security-audit.yamlreusable workflow (pnpm audit), wired into the test pipelineAudit enforcement & vulnerability fixes (commit
213fe38)The initial commit shipped
pnpm auditwithcontinue-on-error: true(the same posture as our app repos, which need a grace period before fixing inherited vulns). For a template repo we can be stricter: zero high/critical advisories and a hard-fail CI gate, so the template never seeds new repos with known vulns.Cleared 1 critical + 9 high advisories:
@trpc/servervitefast-xml-parserpnpm.overrides>=5.5.6@aws-sdk/client-sfnpicomatchpnpm.overrides>=4.0.4vite/chokidar (ReDoS)path-to-regexppnpm.overrides>=8.4.0expressβrouter(DoS)Approach decisions:
pnpm.overridesfor transitives. Forcing the resolution is more honest than chasing a direct-dep version that happens to pull the patched transitive β it makes the fix explicit and easy to remove when upstream catches up.viteis in both places. The catalog bump alone leftvitest's bundledviteat 7.3.1, so it also lives inpnpm.overrides.vite@7.3.2even though7.3.3exists β7.3.3was published 2026-05-07 and is blocked by ourminimumReleaseAge: 10080(7 days).7.3.2is the highest version old enough to pass the gate, and it still satisfies the advisorypatched_versions: >=7.3.2.continue-on-error: truefromsecurity-audit.yaml. Theworkflow_callaudit-levelinput remains so downstream consumers of this template can configure their own bar.After the fix:
pnpm audit --audit-level highβ 0 advisories (10 moderate remain, by design βaudit-levelishigh).Plan document:
docs/plans/2026-05-11-001-feat-enforce-pnpm-audit-and-fix-vulns-plan.mdVerification
pnpm installβ clean resolve, lockfile updatedpnpm run -r typecheckβ pass (catches any@trpc/server11.6 β 11.17 type drift)pnpm run -r testβ passpnpm lintβ passpnpm audit --audit-level highβ0 high, 0 criticalsecurity-auditjob β must be green for this PR to merge (proves the fixes hold and the gate works)Not in scope
audit-levelremainshighby designOperational notes
If a new high/critical advisory drops for a dep with no patched version yet, CI will go red and block merges β this is the explicit accepted tradeoff. Options for the PR author at that point: (a) downgrade the dep, (b) add a pinned
pnpm.overridesto a non-vulnerable version, (c) temporarily raiseaudit-leveltocriticalin a focused, time-boxed PR. There is intentionally no pre-built escape hatch (allowlist, advisory-ignore file) β keep the signal honest.Human review checklist
allowBuildslist is complete β onlyesbuildwas flagged duringpnpm install; if your project has other deps with postinstall scripts, they'll need to be addedminimumReleaseAgeExcludecovers all internal package scopes you usejdx/mise-actionandaws-actions/configure-aws-credentials(resolved from rolling major tagsv3/v4)pnpm.overridesblock in rootpackage.jsonis the right home (vs.overrides:inpnpm-workspace.yaml) β both work on pnpm 10@trpc/server11.6 β 11.17 didn't change any router/handler shape we rely on (typecheck already passed; runtime smoke-test on deploy)Post-Deploy Monitoring & Validation
No additional production monitoring required β this PR is build-time/CI-only. Validation surface is the CI run on this branch:
test.yaml > testshould remain green (proves@trpc/server11.17 andvite7.3.2 don't break the workspace)test.yaml > security-auditshould be green (proves U1+U2 cleared every high/critical finding and the now-blocking gate works)If either goes red on this PR or a future one, the failure log itself is the actionable signal β no dashboard or external metric to watch.
Link to Devin session: https://app.devin.ai/sessions/e6f9d0be409943c4b66901239f3246e4