Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 12 additions & 5 deletions .github/workflows/code-coverage.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,24 +21,31 @@ jobs:

steps:
- uses: actions/checkout@v4

- name: Install pnpm
uses: pnpm/action-setup@v6

@aikido-pr-checks aikido-pr-checks Bot Jun 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3rd party Github Actions should be pinned - high severity
A third-party GitHub Action was imported, and is not pinned via a hash. This leaves your CI/CD at risk for potential supply chain attacks, if the affected GitHub Action is compromised.

Suggested change
uses: pnpm/action-setup@v6
uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6

Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info


- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: 24
cache: 'pnpm'

- name: Enable Corepack
run: corepack enable

- name: Install Dependencies
run: npm install pnpm -g && pnpm install
run: pnpm install

- name: Build
- name: Build
run: pnpm build

- name: Testing
- name: Testing
run: pnpm test:ci

- name: Code Coverage
uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
slug: Hyphen/nodejs-toggle-sdk
files: ./coverage/lcov.info

17 changes: 12 additions & 5 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ on:
types: [released]

permissions:
contents: read
contents: read

env:
HYPHEN_PUBLIC_API_KEY: ${{ secrets.HYPHEN_PUBLIC_API_KEY }}
Expand All @@ -19,18 +19,26 @@ jobs:

steps:
- uses: actions/checkout@v4

- name: Install pnpm
uses: pnpm/action-setup@v6

@aikido-pr-checks aikido-pr-checks Bot Jun 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3rd party Github Actions should be pinned - high severity
A third-party GitHub Action was imported, and is not pinned via a hash. This leaves your CI/CD at risk for potential supply chain attacks, if the affected GitHub Action is compromised.

Suggested change
uses: pnpm/action-setup@v6
uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6

Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info


- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: 24
cache: 'pnpm'

- name: Enable Corepack
run: corepack enable

- name: Install Dependencies
run: npm install pnpm -g && pnpm install
run: pnpm install

- name: Build
- name: Build
run: pnpm build

- name: Testing
- name: Testing
run: pnpm test:ci

- name: Publish
Expand All @@ -39,4 +47,3 @@ jobs:
npm publish --ignore-scripts --access public
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

17 changes: 12 additions & 5 deletions .github/workflows/tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,21 +21,28 @@ jobs:

strategy:
matrix:
node-version: ['22', '24']
node-version: ['22', '24', '26']

steps:
- uses: actions/checkout@v4

- name: Install pnpm
uses: pnpm/action-setup@v6

@aikido-pr-checks aikido-pr-checks Bot Jun 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3rd party Github Actions should be pinned - high severity
A third-party GitHub Action was imported, and is not pinned via a hash. This leaves your CI/CD at risk for potential supply chain attacks, if the affected GitHub Action is compromised.

Suggested change
uses: pnpm/action-setup@v6
uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6

Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info


- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'pnpm'

- name: Enable Corepack
run: corepack enable

- name: Install Dependencies
run: npm install pnpm -g && pnpm install
run: pnpm install

- name: Build
- name: Build
run: pnpm build

- name: Testing
- name: Testing
run: pnpm test:ci

3 changes: 2 additions & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -54,5 +54,6 @@
],
"dependencies": {
"hookified": "^2.1.1"
}
},
"packageManager": "pnpm@11.8.0+sha512.c1f5e7c4cb241c8f174b743851d82f42b802324afc8b0f116b96adb15aa06664948dde36960a3ba1079ba5b4b29dd0140135b94b5b5f5263592249d68e555f26"
Comment on lines 55 to +58

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

To correctly configure allowed builds in pnpm 11, define allowBuilds as an array of package names under the "pnpm" field in your root package.json.

  "dependencies": {
    "hookified": "^2.1.1"
  },
  "pnpm": {
    "allowBuilds": [
      "@swc/core",
      "esbuild",
      "unrs-resolver"
    ]
  },
  "packageManager": "pnpm@11.8.0+sha512.c1f5e7c4cb241c8f174b743851d82f42b802324afc8b0f116b96adb15aa06664948dde36960a3ba1079ba5b4b29dd0140135b94b5b5f5263592249d68e555f26"

}
8 changes: 4 additions & 4 deletions pnpm-workspace.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
allowBuilds:
'@swc/core': true
esbuild: true
unrs-resolver: true
minimumReleaseAge: 2880
Comment on lines +1 to 5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

In pnpm, configuration options like allowBuilds (or the deprecated onlyBuiltDependencies) are not supported in pnpm-workspace.yaml. Placing them here will cause pnpm to ignore them, which can lead to ERR_PNPM_IGNORED_BUILDS errors during installation because the build scripts for @swc/core, esbuild, and unrs-resolver won't be allowed to run.

Additionally, in pnpm 11, allowBuilds is defined as an array of package names (strings), rather than a map of package names to booleans.

These configurations should be moved to the root package.json under the "pnpm" field, or defined in .npmrc as allow-builds.

minimumReleaseAge: 2880

onlyBuiltDependencies:
- '@swc/core'
- esbuild
- unrs-resolver
Loading