chore: harden supply-chain security for yarn-based monorepo#577
Open
akudev wants to merge 1 commit into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the monorepo’s Yarn-based dependency supply chain by tightening version pinning, adding lockfile integrity checks, and making CI installs deterministic.
Changes:
- Add Renovate configuration to gate updates by release age, pin dependency ranges, and perform scheduled lockfile maintenance.
- Pin
packages/dts-generatordependencies to exact versions and regenerateyarn.lockaccordingly. - Add lockfile host validation via
lockfile-lint, add.yarnrcdefaults, and enforce--frozen-lockfilein GitHub Actions workflows.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
yarn.lock |
Updates lockfile entries to reflect pinned specifiers and adds new deps for lockfile linting. |
renovate.json |
Introduces Renovate policy for minimum release age, pinning, grouping, and maintenance. |
packages/dts-generator/package.json |
Replaces range/latest specifiers with exact versions for safer, deterministic installs. |
package.json |
Adds lockfile-lint dependency and runs lockfile validation as part of ci. |
.yarnrc |
Sets defaults to pin added dependencies, configure registry, and attempt to enforce frozen lockfile installs. |
.github/workflows/release.yml |
Uses yarn --frozen-lockfile and updates pinned action version comments. |
.github/workflows/commitlint.yml |
Updates pinned action version comments. |
.github/workflows/codeql-analysis.yml |
Updates pinned action version comments. |
.github/workflows/ci.yml |
Uses yarn --frozen-lockfile and updates pinned action version comments. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add layered defenses against dependency supply-chain attacks: - .yarnrc: enforce frozen-lockfile, pin exact versions on add, and lock registry to yarnpkg.com - renovate.json: 7-day minimumReleaseAge (the only install-time age gate available for yarn projects), pin strategy, weekly lockfile maintenance - lockfile-lint: validate yarn.lock resolved URLs point to the expected registry (guards against lockfile poisoning in PRs) - Pin all dependency ranges in dts-generator to exact versions resolved from the current lockfile, including replacing dangerous "latest" specifiers - Regenerate yarn.lock to match the newly pinned specifiers - CI workflows: add --frozen-lockfile to all yarn invocations (prevents non-deterministic installs); update GH Actions SHA comments from major-only (# v4) to specific version (# v4.3.1) for auditable record Yarn Classic lacks npm's allow-git and min-release-age settings entirely, so Renovate's minimumReleaseAge + frozen-lockfile + code review are the compensating controls.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add layered defenses against dependency supply-chain attacks:
Yarn Classic lacks npm's allow-git and min-release-age settings entirely, so Renovate's minimumReleaseAge + frozen-lockfile + code review are the compensating controls.