chore: harden dependency workflows
This commit is contained in:
14
README.md
14
README.md
@@ -70,6 +70,20 @@ npm run check # Lint, format, and type check
|
||||
./pi-test.sh # Run pi from sources (can be run from any directory)
|
||||
```
|
||||
|
||||
## Supply-chain hardening
|
||||
|
||||
We treat npm dependency changes as reviewed code changes.
|
||||
|
||||
- Direct external dependencies are pinned to exact versions. Internal workspace packages remain version-ranged.
|
||||
- `.npmrc` sets `save-exact=true` and `min-release-age=2` to avoid same-day dependency releases during npm resolution.
|
||||
- `package-lock.json` is the dependency ground truth. Pre-commit blocks accidental lockfile commits unless `PI_ALLOW_LOCKFILE_CHANGE=1` is set.
|
||||
- `npm run check` verifies pinned direct deps, native TypeScript import compatibility, and the generated coding-agent shrinkwrap.
|
||||
- The published CLI package includes `packages/coding-agent/npm-shrinkwrap.json`, generated from the root lockfile, to pin transitive deps for npm users.
|
||||
- Release smoke tests use `npm run release:local` to build, pack, and install outside the repo before publishing.
|
||||
- Local release installs, documented npm installs, and `pi update --self` use `--ignore-scripts` where supported.
|
||||
- CI installs with `npm ci --ignore-scripts`, and a scheduled GitHub workflow runs `npm audit --omit=dev` plus `npm audit signatures --omit=dev`.
|
||||
- Shrinkwrap generation has an explicit allowlist for dependency lifecycle scripts; new lifecycle-script deps fail checks until reviewed.
|
||||
|
||||
## License
|
||||
|
||||
MIT
|
||||
|
||||
Reference in New Issue
Block a user