chore: use pnpm-lock.yaml and minimumReleaseAge
#775
Merged
+3,911
−24
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
baseballyama
force-pushed
the
chore/lock-file
branch
2 times, most recently
from
bbcbf73 to
cd665b3
Compare
baseballyama
force-pushed
the
chore/lock-file
branch
from
cd665b3 to
4ffdc4d
Compare
Pull Request Test Coverage Report for Build 18630864983Details
💛 - Coveralls |
Contributor
Try the Instant Preview in Online PlaygroundInstall the Instant Preview to Your LocalPublished Instant Preview Packages:
|
ota-meshi
requested changes
Oct 19, 2025
package.json
Outdated
| }, | ||
| "dependencies": { | ||
| "@typescript-eslint/scope-manager": "^8.46.1", | ||
| "@typescript-eslint/visitor-keys": "^8.46.1", |
Member
There was a problem hiding this comment.
I don't think we need these dependencies, or we should move them to devDeps, since we're only using them for type checking.
Member
|
I'm in favor of using lock files given recent incidents. |
This was referenced Oct 19, 2025
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In light of the recent supply chain attacks, I believe that as an OSS provider we have a duty of care to reduce the risk of being caught up in such incidents.
This PR introduces two improvements to address that.
Add
pnpm-lock.yamlCurrently, there is no lock file, which makes it difficult to determine whether we have been affected by a supply chain attack. For example, if a tainted library is pulled in during a GitHub Actions run, it would be necessary to investigate the scope of impact, but doing so is currently very difficult. Introducing a lock file enables us to trace and verify the exact dependency tree at the time of installation.
Add
minimumReleaseAgeBased on past incidents, malicious packages involved in supply chain attacks are often detected and removed from npm within the first 24 hours. To reduce the likelihood of being affected, we will avoid installing packages that were released less than one day ago. However, some packages, such as Svelte, are exempted from this rule.
When we agree this changes, I will make a PR for
eslint-plugin-sveltealso.