chore: modernize deps, pnpm 11 config, and CI hardening#958
Open
EhabY wants to merge 3 commits into
Open
Conversation
- Bump production deps: axios 1.16.1, fflate 0.8.3, semver 7.8.0, ws 8.20.1, zod 4.4.3. - Bump devDeps: eslint 10.4.0, @eslint-react 5.8.0, @typescript-eslint 8.59.3, vitest 4.1.6, chromatic 16.10.1, plus storybook 10.4.0, vite 8.0.13, @tanstack/react-query 5.100.10 in the catalog. - Migrate to pnpm 11 config: replace removed onlyBuiltDependencies / ignoredBuiltDependencies with the unified allowBuilds map; enable dedupePeers to collapse peer chains in the React 19 / Storybook / Vite tree. - Pin pnpm itself by Corepack integrity: pnpm@11.1.2+sha224.6d287705... so local Corepack flows verify the tarball hash on install.
fflate 0.8.3 tightened the Unzipped index signature to Uint8Array<ArrayBuffer>, so assigning Buffer values from fs.readFile (typed Uint8Array<ArrayBufferLike>) into the unzipped map no longer type-checks. Widen the variable to Zippable - which is what zipAsync consumes anyway and accepts the broader Uint8Array - to keep the read/modify/ write flow without a cast.
- Pin every GitHub Action by full commit SHA with a # version comment, matching GitHub's security-hardening guidance and what chromaui/ action already does. Dependabot recognizes the format and updates both the SHA and comment together. Bump versions while pinning: checkout v6.0.2, setup-node v6.4.0, upload-artifact v7.0.1, download-artifact v8.0.1, pnpm/action-setup v6.0.8, chromaui/action v16.10.1 (also fixes a stale SHA whose tag comment no longer matched). - Move all release-workflow runners from ubuntu-22.04 to ubuntu-24.04 for consistency with CI; bump pnpm/action-setup from v5 to v6 in the setup composite to match. - Replace the archived marvinpinto/action-automatic-releases@latest with softprops/action-gh-release@v3, pinned by SHA. Enable generate_release_notes so draft releases ship with the PR/commit changelog populated, and fail_on_unmatched_files so a missing VSIX glob fails loudly instead of publishing an empty release. - Consolidate manual checkout + pnpm-action-setup + setup-node + pnpm install in pre-release.yaml and release.yaml down to the existing ./.github/actions/setup composite, removing duplicated SHA pins. - Tune Dependabot: monthly + group-all for github-actions and docker (low-risk, rarely time-sensitive); weekly for npm with minor+patch batched and majors as individual PRs; per-semver- level cooldown days (3/5/7) to ride out compromised or yanked releases. Security advisories still bypass both cooldown and groups.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three-commit modernization pass.
chore(deps): bump non-major dependencies and migrate to pnpm 11onlyBuiltDependencies/ignoredBuiltDependencieswith the unifiedallowBuilds; enablededupePeers.packageManager: pnpm@11.1.2+sha224.6d287705....fix(types): widen fflate entries to Zippable in supportBundleLogsfflate 0.8.3 tightened
Unzipped's index signature; widening toZippable(whichzipAsyncalready consumes) restores the read/modify/write flow without a cast.ci: SHA-pin actions, modernize runners, and tune Dependabot# versioncomment (GitHub's hardening guidance; Dependabot updates both atomically). Versions bumped while pinning. Fixes achromaui/actionSHA whose comment had drifted.ubuntu-22.04→ubuntu-24.04across release workflows;pnpm/action-setupv5 → v6 in the setup composite.marvinpinto/action-automatic-releases@latestwithsoftprops/action-gh-release@v3. Enablegenerate_release_notes(auto-populated draft body) andfail_on_unmatched_files.pre-release.yaml/release.yamlto the existing./.github/actions/setupcomposite.