diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 28365d4acb..9ba9fd1e06 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -36,6 +36,7 @@ Please add a detailed description of how to review this PR. #### UI - [ ] All issue/task requirements work as expected on the UI +- [ ] If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient. - [ ] Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px) - [ ] Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px) - [ ] Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px) diff --git a/.github/workflows/ui-tests.yml b/.github/workflows/ui-tests.yml index 4abbfa72af..7b621cf0ff 100644 --- a/.github/workflows/ui-tests.yml +++ b/.github/workflows/ui-tests.yml @@ -132,6 +132,10 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' run: pnpm run healthcheck + - name: Run pnpm audit + if: steps.check-changes.outputs.any_changed == 'true' + run: pnpm run audit + - name: Run unit tests (all - critical paths changed) if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed == 'true' run: | diff --git a/docs/README.md b/docs/README.md index 79917aeed1..595f79bc5a 100644 --- a/docs/README.md +++ b/docs/README.md @@ -10,10 +10,10 @@ This repository contains the Prowler Open Source documentation powered by [Mintl ## Local Development -Install the [Mintlify CLI](https://www.npmjs.com/package/mint) to preview documentation changes locally: +Install a reviewed version of the [Mintlify CLI](https://www.npmjs.com/package/mint) to preview documentation changes locally: ```bash -npm i -g mint +npm install --global mint@4.2.560 ``` Run the following command at the root of your documentation (where `mint.json` is located): diff --git a/docs/developer-guide/documentation.mdx b/docs/developer-guide/documentation.mdx index f1fae30d35..d0fb808af2 100644 --- a/docs/developer-guide/documentation.mdx +++ b/docs/developer-guide/documentation.mdx @@ -28,7 +28,7 @@ This includes the [AGENTS.md](https://github.com/prowler-cloud/prowler/blob/mast ```bash - npm i -g mint + npm install --global mint@4.2.560 ``` For detailed instructions, check the [Mintlify documentation](https://www.mintlify.com/docs/installation). diff --git a/docs/getting-started/basic-usage/prowler-mcp.mdx b/docs/getting-started/basic-usage/prowler-mcp.mdx index a9357dcdeb..2c32dbdbfc 100644 --- a/docs/getting-started/basic-usage/prowler-mcp.mdx +++ b/docs/getting-started/basic-usage/prowler-mcp.mdx @@ -44,13 +44,21 @@ Choose the configuration based on your deployment: **Configuration:** + + Avoid configuring MCP clients to run `npx mcp-remote` directly. `npx` can download and execute a new package version on each run. Install a reviewed version of `mcp-remote` in a dedicated local workspace, then point the MCP client to the installed binary. + + ```bash + mkdir -p ~/.local/share/prowler-mcp-bridge + cd ~/.local/share/prowler-mcp-bridge + npm init -y + npm install --save-exact mcp-remote@0.1.38 + ``` ```json { "mcpServers": { "prowler": { - "command": "npx", + "command": "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote", "args": [ - "mcp-remote", "https://mcp.prowler.com/mcp", // or your self-hosted Prowler MCP Server URL "--header", "Authorization: Bearer ${PROWLER_APP_API_KEY}" @@ -72,14 +80,20 @@ Choose the configuration based on your deployment: 2. Go to "Developer" tab 3. Click in "Edit Config" button 4. Edit the `claude_desktop_config.json` file with your favorite editor - 5. Add the following configuration: + 5. Install a reviewed version of `mcp-remote` in a dedicated local workspace: + ```bash + mkdir -p ~/.local/share/prowler-mcp-bridge + cd ~/.local/share/prowler-mcp-bridge + npm init -y + npm install --save-exact mcp-remote@0.1.38 + ``` + 6. Add the following configuration: ```json { "mcpServers": { "prowler": { - "command": "npx", + "command": "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote", "args": [ - "mcp-remote", "https://mcp.prowler.com/mcp", "--header", "Authorization: Bearer ${PROWLER_APP_API_KEY}" diff --git a/docs/getting-started/installation/prowler-app.mdx b/docs/getting-started/installation/prowler-app.mdx index 2ed4481ae1..03f89e7824 100644 --- a/docs/getting-started/installation/prowler-app.mdx +++ b/docs/getting-started/installation/prowler-app.mdx @@ -38,7 +38,7 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai - `git` installed. - `poetry` installed: [poetry installation](https://python-poetry.org/docs/#installation). - - `npm` installed: [npm installation](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm). + - `pnpm` installed through [Corepack](https://pnpm.io/installation#using-corepack) or the standalone [pnpm installation](https://pnpm.io/installation). - `Docker Compose` installed: https://docs.docker.com/compose/install/. @@ -97,9 +97,11 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai ```bash git clone https://github.com/prowler-cloud/prowler \ cd prowler/ui \ - npm install \ - npm run build \ - npm start + corepack enable \ + corepack install \ + pnpm install --frozen-lockfile \ + pnpm run build \ + pnpm start ``` > Enjoy Prowler App at http://localhost:3000 by signing up with your email and password. diff --git a/docs/user-guide/providers/llm/getting-started-llm.mdx b/docs/user-guide/providers/llm/getting-started-llm.mdx index 94256b3ee2..8cca7f2a08 100644 --- a/docs/user-guide/providers/llm/getting-started-llm.mdx +++ b/docs/user-guide/providers/llm/getting-started-llm.mdx @@ -22,7 +22,7 @@ Install promptfoo using one of the following methods: **Using npm:** ```bash -npm install -g promptfoo +npm install --global promptfoo@0.121.11 ``` **Using Homebrew (macOS):** diff --git a/mcp_server/README.md b/mcp_server/README.md index 41c5271d61..8810c07a5c 100644 --- a/mcp_server/README.md +++ b/mcp_server/README.md @@ -56,13 +56,21 @@ Prowler MCP Server can be used in three ways: - Managed and maintained by Prowler team - Always up-to-date +Install a reviewed version of `mcp-remote` in a dedicated local workspace first. Avoid running `npx mcp-remote` directly because it can download and execute a new package version on each run. + +```bash +mkdir -p ~/.local/share/prowler-mcp-bridge +cd ~/.local/share/prowler-mcp-bridge +npm init -y +npm install --save-exact mcp-remote@0.1.38 +``` + ```json { "mcpServers": { "prowler": { - "command": "npx", + "command": "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote", "args": [ - "mcp-remote", "https://mcp.prowler.com/mcp", "--header", "Authorization: Bearer pk_YOUR_API_KEY_HERE" diff --git a/ui/AGENTS.md b/ui/AGENTS.md index b0d131f10e..76f64ef251 100644 --- a/ui/AGENTS.md +++ b/ui/AGENTS.md @@ -226,5 +226,6 @@ pnpm run test:e2e:ui - [ ] Relevant E2E tests pass - [ ] All UI states handled (loading, error, empty) - [ ] No secrets in code (use `.env.local`) +- [ ] New npm dependencies include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and a rationale for not using existing/native alternatives. - [ ] Error messages sanitized - [ ] Server-side validation present diff --git a/ui/components/shadcn/README.md b/ui/components/shadcn/README.md index 127832a4f7..06b9183408 100644 --- a/ui/components/shadcn/README.md +++ b/ui/components/shadcn/README.md @@ -109,10 +109,10 @@ export function MyComponent() { ## Adding New shadcn Components -When adding new shadcn components using the CLI: +When adding new shadcn components using the CLI, pin the reviewed CLI version instead of using `@latest`: ```bash -npx shadcn@latest add [component-name] +pnpm dlx shadcn@4.7.0 add [component-name] ``` The component will be automatically added to this directory due to the configuration in `components.json`: diff --git a/ui/package.json b/ui/package.json index c8b4d88810..0b8992f0d6 100644 --- a/ui/package.json +++ b/ui/package.json @@ -28,6 +28,8 @@ "test:e2e:headed": "playwright test --project=auth --project=sign-up --project=providers --project=invitations --project=scans --headed", "test:e2e:report": "playwright show-report", "test:e2e:install": "playwright install", + "audit": "pnpm audit --audit-level critical", + "audit:high": "pnpm audit --audit-level high", "audit:fix": "pnpm audit fix" }, "dependencies": { diff --git a/ui/pnpm-workspace.yaml b/ui/pnpm-workspace.yaml index 829294f92b..26ebd51565 100644 --- a/ui/pnpm-workspace.yaml +++ b/ui/pnpm-workspace.yaml @@ -14,20 +14,21 @@ minimumReleaseAge: 1440 # --- Level 2: Explicit Build Script Allow-list --- # Only these packages may run install/postinstall lifecycle scripts. -# Any unlisted package with lifecycle scripts will have them silently skipped. -onlyBuiltDependencies: +# Any unlisted package with lifecycle scripts fails the install. +strictDepBuilds: true +allowBuilds: # sharp: Native image processing (libvips). Installs platform-specific pre-built binary or compiles from source. - - sharp + sharp: true # @sentry/cli: Downloads the sentry-cli native binary for the current platform. Validates integrity via SHA256. - - "@sentry/cli" + "@sentry/cli": true # esbuild: Go binary. Downloads the pre-compiled binary matching the current platform/architecture. - - esbuild + esbuild: true # @heroui/shared-utils: Demi pattern — detects React/Next.js version at install time and copies the compatible bundle (React 18 vs 19). - - "@heroui/shared-utils" + "@heroui/shared-utils": true # unrs-resolver: Rust module resolver (NAPI-RS). Verifies the correct native binding is available for the platform. - - unrs-resolver + unrs-resolver: true # msw: Copies mockServiceWorker.js into the directories listed in package.json's `msw.workerDirectory` (here: `public/`) so the runtime worker stays in sync with the installed msw version. Pure file copy — no native binary, no network access. Required for vitest browser tests to intercept fetches via the service worker. - - msw + msw: true # --- Level 3: Trust Policy + Exotic Subdeps --- # Fail when a package's trust evidence is downgraded (e.g., new publisher).