mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
6db8ce672c
Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
92 lines
4.1 KiB
YAML
92 lines
4.1 KiB
YAML
# pnpm 11+ workspace config. .npmrc is auth/registry only; everything else lives here.
|
|
# Reference: https://pnpm.io/supply-chain-security
|
|
|
|
packages: []
|
|
|
|
# Refuse to install on Node/pnpm outside the `engines` block in package.json.
|
|
engineStrict: true
|
|
|
|
# Hoist the HeroUI family so its legacy peer-dep pattern resolves.
|
|
publicHoistPattern:
|
|
- "*@heroui/*"
|
|
|
|
# Default `pnpm add` to exact versions — matches package.json convention.
|
|
saveExact: true
|
|
|
|
# --- Dependency overrides ---
|
|
overrides:
|
|
"@react-types/shared": "3.26.0"
|
|
"@internationalized/date": "3.10.0"
|
|
"@react-aria/ssr>react": "19.2.7"
|
|
"@react-aria/ssr>react-dom": "19.2.7"
|
|
"@react-aria/visually-hidden>react": "19.2.7"
|
|
"@react-aria/interactions>react": "19.2.7"
|
|
"lodash": "4.18.1"
|
|
"lodash-es": "4.18.1"
|
|
"hono": "4.12.21"
|
|
"@hono/node-server": "1.19.14"
|
|
"@isaacs/brace-expansion": "5.0.1"
|
|
"fast-xml-parser": "5.8.0"
|
|
"serialize-javascript": "7.0.5"
|
|
"postcss": "8.5.14"
|
|
"esbuild": "0.28.1"
|
|
"rollup@>=4": "4.59.0"
|
|
"minimatch@<4": "3.1.4"
|
|
"minimatch@>=9 <10": "9.0.7"
|
|
"minimatch@>=10": "10.2.3"
|
|
"ajv@<7": "6.14.0"
|
|
"ajv@>=8": "8.18.0"
|
|
"qs": "6.15.2"
|
|
# 8.2.2 dropped provenance attestation; 8.3.1+ restored it. Pinned to skip 8.2.2
|
|
# under `trustPolicy: no-downgrade`.
|
|
"express-rate-limit": "8.5.1"
|
|
# GHSA-w5hq-g745-h8pq: missing bounds check in v3/v5/v6 with buf, fixed in
|
|
# 11.1.1. Transitive consumers (@sentry/webpack-plugin@9, @langchain/langgraph@10)
|
|
# use the random v4 generator only, so the bug isn't reachable in practice,
|
|
# but the override unifies the tree on a patched version.
|
|
"uuid": "11.1.1"
|
|
|
|
# --- Level 1: Minimum Release Age ---
|
|
# Packages must be published for at least 1 day before they can be installed.
|
|
# Prevents installing compromised packages during the detection window.
|
|
minimumReleaseAge: 1440
|
|
|
|
# Bypasses the minimum release age for specific packages.
|
|
# Use ONLY for emergency patches (e.g., critical CVE fixes) that cannot wait 24h.
|
|
# This should be ephemeral — remove the entry once the package meets the age threshold.
|
|
# minimumReleaseAgeExclude:
|
|
|
|
# --- Level 2: Explicit Build Script Allow-list ---
|
|
# Only these packages may run install/postinstall lifecycle scripts.
|
|
# Any unlisted package with lifecycle scripts fails the install.
|
|
strictDepBuilds: true
|
|
allowBuilds:
|
|
# sharp: Native image processing (libvips). Installs platform-specific pre-built binary or compiles from source.
|
|
sharp: true
|
|
# @sentry/cli: Downloads the sentry-cli native binary for the current platform. Validates integrity via SHA256.
|
|
"@sentry/cli": true
|
|
# esbuild: Go binary. Downloads the pre-compiled binary matching the current platform/architecture.
|
|
esbuild: true
|
|
# @heroui/shared-utils: Demi pattern — detects React/Next.js version at install time and copies the compatible bundle (React 18 vs 19).
|
|
"@heroui/shared-utils": true
|
|
# unrs-resolver: Rust module resolver (NAPI-RS). Verifies the correct native binding is available for the platform.
|
|
unrs-resolver: true
|
|
# msw: Copies mockServiceWorker.js into the directories listed in package.json's `msw.workerDirectory` (here: `public/`) so the runtime worker stays in sync with the installed msw version. Pure file copy — no native binary, no network access. Required for vitest browser tests to intercept fetches via the service worker.
|
|
msw: true
|
|
|
|
# --- Level 3: Trust Policy + Exotic Subdeps ---
|
|
# Fail when a package's trust evidence is downgraded (e.g., new publisher).
|
|
trustPolicy: no-downgrade
|
|
# False positives — packages that don't publish provenance for real releases.
|
|
# Pin to the version range that lacks provenance so a bump fails until reviewed.
|
|
trustPolicyExclude:
|
|
# next-auth: only one one-off manual test release (`0.0.0-manual.2824fa11`) has
|
|
# provenance; real beta/stable releases don't. Scoped to current beta line.
|
|
- "next-auth@5.0.0-beta.30"
|
|
# semver: legacy major 6.x never had provenance (added in 7.5.1+). Pinned
|
|
# to the exact 6.x version pulled transitively (via @babel/helper-compilation-targets).
|
|
- "semver@6.3.1"
|
|
|
|
# Block transitive dependencies from using exotic specifiers (git URLs, tarballs).
|
|
blockExoticSubdeps: true
|