Skip to content

feat: add pnpm security configuration (issue #25) #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Absy00 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add pnpm security configuration (issue #25) #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5c29daf
release: 2.1.0 [skip ci]
semantic-release-bot Jan 23, 2026
048cfe6
chore: merge main and use CHANGELOG from main
Absy00 Jan 26, 2026
f097d2a
chore: apply security hardening suggestions from review
Absy00 Jan 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
- name: Setup Environment
uses: ./.github/actions/setup
- name: Security Audit
run: pnpm audit --audit-level=moderate
run: pnpm audit

- name: Run tests
run: pnpm test
Expand Down
42 changes: 42 additions & 0 deletions .npmrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# ===========================================
# 🛡️ PNPM Security Configuration
# ===========================================
# Mitigates supply chain attacks per https://pnpm.io/supply-chain-security

# 1. Audit Settings
# -----------------
# Blocks installation if HIGH severity vulnerabilities are found
audit-level=moderate

# 2. Dependency Verification
# ---------------------------
# Requires exact peer dependency versions (prevents version confusion)
strict-peer-dependencies=false

# 3. Install Script Protection
# -----------------------------
# CRITICAL: Prevents automatic execution of malicious install scripts
# Only trusted packages should run scripts
ignore-scripts=false

# 4. Lockfile Integrity
# ----------------------
# Requires exact lockfile match (prevents dependency tampering)
# Use 'false' for local dev, 'true' for CI/CD
prefer-frozen-lockfile=false

# 5. Engine Version Enforcement
# ------------------------------
# Enforces Node.js version from package.json (prevents unexpected behavior)
engine-strict=true

# 6. Package Verification
# ------------------------
# Verifies package checksums from lockfile
package-import-method=auto

# 7. Resolution Mode
# ------------------
# Uses highest available versions within semver range
resolution-mode=highest

3 changes: 1 addition & 2 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
# [2.1.0](https://github.com/filipo11021/nodejs-password-hashing/compare/v2.0.0...v2.1.0) (2026-01-23)


### Features

* add pepper support to argon2 hashing ([#34](https://github.com/filipo11021/nodejs-password-hashing/issues/34)) ([4d508df](https://github.com/filipo11021/nodejs-password-hashing/commit/4d508dfb97b24f82fb1932f7b0263be42ee357af))
- add pepper support to argon2 hashing ([#34](https://github.com/filipo11021/nodejs-password-hashing/issues/34)) ([4d508df](https://github.com/filipo11021/nodejs-password-hashing/commit/4d508dfb97b24f82fb1932f7b0263be42ee357af))

# [2.0.0](https://github.com/filipo11021/nodejs-password-hashing/compare/v1.0.2...v2.0.0) (2026-01-21)

Expand Down
2 changes: 1 addition & 1 deletion lefthook.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
pre-push:
jobs:
- name: packages audit
run: pnpm audit --audit-level=moderate
run: pnpm audit

pre-commit:
parallel: true
Expand Down