chore: harden supply-chain security for yarn-based monorepo

.github/workflows/ci.yml

@@ -29,15 +29,15 @@ jobs:
           - 22.x
           - 24.x
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.pr_number && format('refs/pull/{0}/head', inputs.pr_number) || '' }}
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ matrix.node_version }}
 
       - name: Install dependencies
-        run: yarn
+        run: yarn --frozen-lockfile
 
       - name: Build
         run: yarn run ci

.github/workflows/codeql-analysis.yml

@@ -44,13 +44,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.pr_number && format('refs/pull/{0}/head', inputs.pr_number) || '' }}
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3
+        uses: github/codeql-action/init@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -61,7 +61,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3
+        uses: github/codeql-action/autobuild@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -75,4 +75,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3
+        uses: github/codeql-action/analyze@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3

.github/workflows/commitlint.yml

@@ -25,8 +25,8 @@ jobs:
   commitlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.pr_number && format('refs/pull/{0}/head', inputs.pr_number) || '' }}
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1

.github/workflows/release.yml

@@ -16,16 +16,16 @@ jobs:
       github.event_name == 'workflow_dispatch' ||
       (github.event_name == 'push' && contains(github.event.head_commit.message, 'chore(release): publish'))
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 24.15.0
 
       - name: Install dependencies
-        run: yarn
+        run: yarn --frozen-lockfile
 
       - name: Build
         run: yarn build

.yarnrc

@@ -0,0 +1,11 @@
+# Supply-chain hardening
+
+# Fail if yarn.lock is out of sync with package.json.
+# Prevents non-deterministic installs in CI and local dev.
+--install.frozen-lockfile true
+
+# Pin exact versions on yarn add (no ^ or ~ prefix).
+save-prefix ""
+
+# Explicit registry — prevents dependency confusion.
+registry "https://registry.yarnpkg.com"

package.json

@@ -15,10 +15,11 @@
     "release:publish-manual": "lerna publish from-package --yes --no-verify-access",
     "build": "lerna run build",
     "preci": "lerna run build",
-    "ci": "npm-run-all format:validate ci:subpackages",
+    "ci": "npm-run-all format:validate lint:lockfile ci:subpackages",
     "format:fix": "prettier --write \"**/*.@(ts|js|json|md|yml)\"",
     "format:validate": "prettier --check \"**/*.@(ts|js|json|md|yml)\"",
     "ci:subpackages": "lerna run ci",
+    "lint:lockfile": "lockfile-lint --path yarn.lock --type yarn --allowed-hosts yarn --validate-https",
     "prepare": "husky",
     "hooks:pre-commit": "lint-staged",
     "hooks:commit-msg": "commitlint -e",
@@ -33,6 +34,7 @@
     "husky": "9.1.7",
     "lerna": "9.0.7",
     "lint-staged": "16.4.0",
+    "lockfile-lint": "5.0.0",
     "mocha": "11.7.5",
     "npm-run-all": "4.1.5",
     "prettier": "3.8.3",

packages/dts-generator/package.json

@@ -24,30 +24,30 @@
   "dependencies": {
     "@definitelytyped/dtslint": "latest",
     "@definitelytyped/eslint-plugin": "latest",
-    "@ui5/logger": "^4.0.2",
-    "argparse": "^2.0.1",
-    "es-main": "^1.4.0",
+    "@ui5/logger": "4.0.2",
+    "argparse": "2.0.1",
+    "es-main": "1.4.0",
     "fs-extra": "11.3.5",
     "lodash": "4.18.1",
     "lodash.combinations": "18.11.1",
-    "node-fetch": "^3.3.2",
+    "node-fetch": "3.3.2",
     "prettier": "3.8.3",
-    "resolve": "^1.22.12",
+    "resolve": "1.22.12",
     "sanitize-html": "2.17.3",
-    "semver": "^7.8.0",
-    "strip-json-comments": "^5.0.3",
-    "typescript": "^6.0.3"
+    "semver": "7.8.0",
+    "strip-json-comments": "5.0.3",
+    "typescript": "6.0.3"
   },
   "devDependencies": {
-    "@microsoft/api-extractor": "^7.58.7",
-    "@types/argparse": "^2.0.17",
+    "@microsoft/api-extractor": "7.58.7",
+    "@types/argparse": "2.0.17",
     "@types/lodash": "4.17.24",
-    "@types/node": "^22.0.0",
+    "@types/node": "22.19.18",
     "@types/sanitize-html": "2.16.1",
     "@types/urijs": "1.19.26",
-    "copyfiles": "^2.4.1",
-    "del-cli": "^7.0.0",
-    "npm-run-all": "^4.1.5"
+    "copyfiles": "2.4.1",
+    "del-cli": "7.0.0",
+    "npm-run-all": "4.1.5"
   },
   "scripts": {
     "clean": "del-cli -f dist",

renovate.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:best-practices"],
+  "minimumReleaseAge": "7 days",
+  "rangeStrategy": "pin",
+  "vulnerabilityAlerts": {
+    "enabled": true,
+    "minimumReleaseAge": "3 days",
+    "labels": ["security"]
+  },
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": ["before 6am on monday"]
+  },
+  "packageRules": [
+    {
+      "description": "Group all non-major updates to reduce PR noise",
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "non-major dependencies"
+    },
+    {
+      "description": "Auto-merge patch updates for @types packages after age gate",
+      "matchUpdateTypes": ["patch"],
+      "automerge": true,
+      "automergeType": "pr",
+      "matchPackageNames": ["/^@types//"],
+      "minimumReleaseAge": "7 days"
+    }
+  ],
+  "prCreation": "not-pending"
+}