chore(pnpm): add security settings for supply chain attack prevention (#307)

ryoppippi · web-flow · commit 54cfe5da3e48 · 2026-01-27T17:59:37.000Z
* chore(pnpm): add security settings for supply chain attack prevention Add strictDepBuilds, blockExoticSubdeps settings to pnpm-workspace.yaml. These settings protect against supply chain attacks by: - strictDepBuilds: Blocking lifecycle scripts by default - blockExoticSubdeps: Blocking non-registry dependencies The trustPolicy setting was already present but now has proper documentation comments explaining its purpose. Reference: https://pnpm.io/settings * docs(rules): document pnpm security settings and add nix-workflow symlink - Add Security Settings section to pnpm-usage.md explaining the three security settings and their purposes - Add symlink for nix-workflow.md to .cursor/rules for consistency * chore: format pnpm-usage.md table
diff --git a/.claude/rules/pnpm-usage.md b/.claude/rules/pnpm-usage.md
@@ -44,6 +44,21 @@ fish -c "<command>"
 2. **Binary not found**: Use `pnpm dlx` instead of `pnpm exec`
 3. **Permission errors**: Check node_modules permissions
 
+## Security Settings
+
+The project uses pnpm security settings to protect against supply chain attacks.
+These are configured in `pnpm-workspace.yaml`:
+
+| Setting                     | Purpose                                                                                                                  |
+| --------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
+| `strictDepBuilds: true`     | Blocks lifecycle scripts (postinstall, etc.) by default. Only packages in `onlyBuiltDependencies` can run build scripts. |
+| `blockExoticSubdeps: true`  | Blocks dependencies from non-registry sources (Git repos, tarball URLs).                                                 |
+| `trustPolicy: no-downgrade` | Prevents trust level downgrades between versions (e.g., from GitHub OIDC to basic auth).                                 |
+
+If a new dependency requires build scripts, add it to `onlyBuiltDependencies` in `pnpm-workspace.yaml`.
+
+Reference: https://pnpm.io/settings
+
 ## Publishing & Deployment
 
 When ready to release:
diff --git a/.cursor/rules/nix-workflow.mdc b/.cursor/rules/nix-workflow.mdc
@@ -0,0 +1 @@
+../../.claude/rules/nix-workflow.md
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -57,6 +57,20 @@ onlyBuiltDependencies:
 
 shellEmulator: true
 
+# Security settings (supply chain attack prevention)
+# See: https://pnpm.io/settings
+
+# Blocks lifecycle scripts (postinstall, etc.) from running in dependencies by default
+# Only packages listed in onlyBuiltDependencies can run build scripts
+# Prevents Shai-Hulud-style worm attacks that exploit automatic script execution
+strictDepBuilds: true
+
+# Blocks dependencies from non-registry sources (Git repos, tarball URLs)
+# Prevents PhantomRaven-style attacks that bypass npm scanning
+blockExoticSubdeps: true
+
+# Prevents trust level downgrades between package versions
+# Blocks installations when publisher credentials downgrade from GitHub OIDC to basic auth
 trustPolicy: no-downgrade
 
 trustPolicyExclude:
