Skip to content

feat: add pnpm security configuration (issue #25)#39

Open
Absy00 wants to merge 3 commits intomainfrom
fix/supply-chain-security-issue-25
Open

feat: add pnpm security configuration (issue #25)#39
Absy00 wants to merge 3 commits intomainfrom
fix/supply-chain-security-issue-25

Conversation

@Absy00
Copy link
Collaborator

@Absy00 Absy00 commented Jan 26, 2026

Summary

Adds .npmrc with pnpm security settings per https://pnpm.io/supply-chain-security

Closes #25

Configuration

audit-level=high
strict-peer-dependencies=false
ignore-scripts=false
prefer-frozen-lockfile=false
engine-strict=true
package-import-method=auto
resolution-mode=highest

Testing

  • pnpm install works without errors
  • All pre-commit hooks pass
  • Pre-push audit passes

semantic-release-bot and others added 2 commits January 26, 2026 02:01
@semantic-release-bot @Absy00
release: 2.1.0 [skip ci]
5c29daf 
# [2.1.0](v2.0.0...v2.1.0) (2026-01-23)

### Features

* add pepper support to argon2 hashing ([#34](#34)) ([4d508df](4d508df))
@Absy00
chore: merge main and use CHANGELOG from main
048cfe6
@Absy00
Copy link
Collaborator Author

Absy00 commented Jan 26, 2026
edited
Loading

@Filipo11021

Additional considerations

I've implemented a basic security configuration, but I'd like to discuss potential improvements:

1. Install Scripts (ignore-scripts)

Currently set to false (allows all scripts).

Should we consider true for maximum security? This would block malicious install scripts but might break packages like puppeteer or esbuild unless we maintain a whitelist.

2. Strict Peer Dependencies (strict-peer-dependencies)

Currently set to false (warnings only).

Would true be better to prevent dependency version confusion, or would it cause too many false positives?

3. Frozen Lockfile in CI

Currently prefer-frozen-lockfile=false for local development.

Should we add --frozen-lockfile flag to CI workflows to prevent lockfile tampering in production builds?

Example:

# .github/workflows/ci.yml
- run: pnpm install --frozen-lockfile

4. Package Store Integrity (verify-store-integrity)

pnpm 9.x supports verifying package integrity in the store.

Should we enable this for additional security?

verify-store-integrity=true

Let me know if you'd like me to adjust any of these settings or add CI hardening.

image

Filipo11021
Filipo11021 reviewed Jan 26, 2026
View reviewed changes
.npmrc Outdated
# 1. Audit Settings
# -----------------
# Blocks installation if HIGH severity vulnerabilities are found
audit-level=high
Copy link
Owner

@Filipo11021 Filipo11021 Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I propose setting the audit level to moderate and removing the audit flag from the Lefthook and CI configurations.
https://github.com/Filipo11021/nodejs-password-hashing/blob/main/lefthook.yml#L4
https://github.com/Filipo11021/nodejs-password-hashing/blob/main/.github/workflows/ci.yml#L17

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Filipo11021 Filipo11021 Filipo11021 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Mitigating supply chain attacks

3 participants

@Absy00 @Filipo11021 @semantic-release-bot