Commit Graph

166 Commits

Author SHA1 Message Date
Zoltan Kochan
c452019ac0 fix(security): port the latest security fixes to v10 (#12300)
* fix(package-bins): reject reserved manifest bin names

Manifest bin keys "", ".", "..", and scoped forms such as "@scope/.."
passed the bin-name guard because encodeURIComponent leaves them
unchanged. When joined to the global bin directory during global
remove/update/add operations, "." resolves to the bin directory itself
and ".." to its parent, which removeBin then recursively deletes.

Reject empty, ".", and ".." bin names after scope stripping.

Backport of pnpm/pnpm#12289 to v10.

* fix: block untrusted request destination env expansion

Makes environment expansion trust-aware for registry/auth config and
request destinations:

- Stops project and workspace .npmrc files from expanding ${...}
  placeholders in registry/proxy request destinations, URL-scoped keys,
  and registry credential values.
- Stops repository-controlled pnpm-workspace.yaml from expanding
  ${...} placeholders in the registry setting.
- Preserves env expansion for trusted user/global/CLI/env config so
  existing token and registry setup flows continue to work.

Backport of pnpm/pnpm#12291 (CAND-PNPM-122 / GHSA-3qhv-2rgh-x77r) to v10.

* fix(security): verify npm registry signature before spawning a package-manager binary

The packageManager field (and pnpm self-update) makes pnpm download and
run a specific pnpm version. The staged install's bytes were trusted
based on lockfile integrity alone, which proves nothing when the inputs
are repository-controlled.

pnpm now verifies the npm registry signature of the engine it is about
to spawn, over the installed integrity, against npm's public signing
keys embedded in the pnpm CLI (exactly as corepack does):

- verifyPnpmEngineIdentity() checks pnpm/@pnpm/exe and the materialized
  platform binaries of the staged install before it is linked into the
  tools directory.
- Fails closed: any verification failure, including an unreachable
  registry, refuses the version switch rather than running an unverified
  binary. Runs only on a tools-directory cache miss (an actual
  download).
- The embedded keys live in a generated file kept in sync with npm's
  keys endpoint by scripts/update-npm-signing-keys.mjs; the release
  workflow runs the check as a gate so a key rotation cannot silently
  break verification.

Backport of pnpm/pnpm#12292 (CAND-PNPM-097) to v10.

* fix: harden package-manager bootstrap metadata

Resolve package-manager bootstrap traffic through trusted user/CLI
registries and trusted network config, defaulting to the public npm
registry instead of project/workspace registry settings:

- getConfig() now computes packageManagerRegistries and
  packageManagerNetworkConfig from trusted config sources only (CLI
  options, env config, user and global .npmrc) — never the repository's
  project/workspace .npmrc or pnpm-workspace.yaml.
- switchCliVersion() applies that bootstrap config when installing and
  verifying the wanted pnpm version, so repository .npmrc
  proxy/TLS/registry values cannot steer package-manager bootstrap
  traffic.

Backport of pnpm/pnpm#12296 to v10. The v11 env-lockfile validation
parts do not apply: v10 bootstraps the wanted version through a staged
child install instead of an env lockfile.

* fix(security): verify Node.js runtime SHASUMS OpenPGP signature

When a repository requests a Node.js runtime (useNodeVersion or an
execution env), pnpm downloads and then executes a Node binary. The
download mirror is repository-configurable via node-mirror:<channel> in
project .npmrc, and the integrity came from SHASUMS256.txt fetched from
that same mirror — a circular check a malicious mirror can satisfy with
a tampered binary and matching hashes.

pnpm now fetches SHASUMS256.txt.sig and verifies its detached OpenPGP
signature against the Node.js release team's public keys, embedded in
the pnpm CLI, before trusting the hashes:

- @pnpm/crypto.shasums-file: new fetchVerifiedNodeShasums /
  fetchVerifiedNodeShasumsFile verify the signature via openpgp against
  the embedded keys (generated src/nodeReleaseKeys.ts, mirrored from
  the canonical nodejs/release-keys list).
- @pnpm/node.fetcher verifies the configurable-mirror SHASUMS for the
  release channel; pre-release channels (rc, nightly, ...) are unsigned
  by Node and remain unverified.
- scripts/update-node-release-keys.mjs keeps the keys current
  (pnpm run check:node-release-keys / update:node-release-keys), and
  the release workflow runs the check as a gate.

Backport of pnpm/pnpm#12295 to v10 (without the pacquet Rust port,
which does not exist on this branch).

* test(env): sign the SHASUMS fixture for Node.js download tests

The Node.js download tests exercise the release channel, whose
SHASUMS256.txt is now signature-verified. Sign the fixture with a
generated OpenPGP key and trust it through the new
trustedNodeReleaseKeys test seam (threaded from plugin-commands-env via
@pnpm/node.fetcher to fetchVerifiedNodeShasums), so the tests keep
exercising the verification path instead of bypassing it.

* fix(self-updater): redact registry credentials from engine identity errors

Registry URLs may legally embed basic-auth credentials
(https://user:pass@host/). verifyPnpmEngineIdentity() interpolated the
packument URL and registry URL into PnpmError messages, and the
unreachable-registry path surfaced fetch-layer error messages that embed
the request URL — all of which land in terminal output and CI logs.
Strip URL credentials from every error message and truncate the non-200
response body.

* fix: update vulnerable transitive dependencies

Override shell-quote to >=1.8.4 (GHSA-w7jw-789q-3m8p, critical, pulled
in via concurrently) so the audit workflow passes again. The advisory
was published after the last release/10 audit run; it is unrelated to
the security backports on this branch.
2026-06-10 08:01:14 +02:00
Zoltan Kochan
df3b5065be ci(release): pin Node 20 for v10 release workflow (#11997)
The `pnpm/bundle` step runs `ts-node bundle.ts`, which transitively
loads `esm@3.2.25` (via `publish-packed` → `all-module-paths` → `esm`).
That package monkey-patches Node internals removed in Node 22+. The
release workflow runs on `ubuntu-latest` and was relying on the
runner's default Node; GitHub bumping that default between 10.33.4
and 10.34.0 silently broke the publish phase.

Pin Node 20 — the last release line `esm@3.2.25` still works on — and
drop `continue-on-error` from the Publish step so future failures fail
the workflow instead of hiding behind a green check.
2026-05-27 16:52:39 +02:00
Zoltan Kochan
8be85cbbd6 ci(release): clone ldid from ProcursusTeam GitHub mirror (#11990)
The upstream `https://gitlab.com/opensource-saurik/ldid.git` is no
longer publicly accessible (returns 401 / redirects to sign-in), so
`git clone` prompts for a username and fails non-interactively with
`could not read Username for 'https://gitlab.com'`. This blocks every
v10 release.

`ProcursusTeam/ldid` is a maintained GitHub fork that contains the
exact commit the workflow pins (c2f8abf), and the libplist submodule
already points at github.com, so a one-line URL swap is the full fix.

---
Written by an agent (Claude Code, claude-opus-4-7).
2026-05-27 15:23:42 +02:00
Zoltan Kochan
198fb7c7b6 chore: update branch references after v10 → release/10 rename 2026-05-05 00:18:03 +02:00
Zoltan Kochan
335cd8e96a ci: update action-setup 2026-04-21 20:31:40 +02:00
Zoltan Kochan
2ac43de3f7 ci: update pnpm/action-setup to v6.0.2 2026-04-18 15:27:11 +02:00
Zoltan Kochan
874730fd51 revert: "chore: update pnpm to v11 rc 0"
This reverts commit ee20cffdfc.
2026-04-14 10:31:41 +02:00
Zoltan Kochan
ee20cffdfc chore: update pnpm to v11 rc 0 2026-04-14 10:20:26 +02:00
Zoltan Kochan
78dc1e8261 ci: add benchmark job 2026-02-17 15:08:04 +01:00
Zoltan Kochan
02476121b8 ci: increase timeout for pnpm install step 2025-12-23 12:30:34 +01:00
Zoltan Kochan
c8c04c07c4 ci: checkout a known good commit of ldid 2025-11-11 23:19:01 +01:00
Zoltan Kochan
ea5cb619ba ci: run all tests on the v10 branch 2025-10-28 22:00:52 +01:00
Zoltan Kochan
d9bcd616ea chore(release): 10.19.1-oidc-test.3 2025-10-24 01:36:02 +02:00
Zoltan Kochan
ddf6fa4812 ci: remove printing of npm version 2025-10-23 11:59:23 +02:00
Zoltan Kochan
f5b02ff88a ci: update release.yml 2025-10-23 11:28:11 +02:00
Zoltan Kochan
ac5c335686 chore: update npm in the release workflow 2025-10-23 11:10:44 +02:00
Zoltan Kochan
eb0df0dca1 chore(release): 10.19.1-oidc-test.1 2025-10-23 10:56:22 +02:00
Zoltan Kochan
51119529a2 ci: enable trusted publish 2025-10-23 10:30:03 +02:00
Ryo Matsukawa
5ebc45bcc2 chore: pin actions for security (#10111) 2025-10-22 13:36:19 +02:00
dependabot[bot]
a9257e34be chore(deps): bump actions/setup-node from 5 to 6 in the github-actions group (#10106)
* chore(deps): bump actions/setup-node in the github-actions group

Bumps the github-actions group with 1 update: [actions/setup-node](https://github.com/actions/setup-node).


Updates `actions/setup-node` from 5 to 6
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>

* Apply suggestion from @ryo-manba

Co-authored-by: Ryo Matsukawa <76232929+ryo-manba@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Zoltan Kochan <z@kochan.io>
Co-authored-by: Ryo Matsukawa <76232929+ryo-manba@users.noreply.github.com>
2025-10-21 15:18:13 +02:00
Zoltan Kochan
3321cb05f8 ci: run tests on Node.js 25 2025-10-15 21:52:21 +02:00
dependabot[bot]
f3195f0de8 chore(deps): bump the github-actions group with 2 updates (#10085)
Bumps the github-actions group with 2 updates: [pnpm/action-setup](https://github.com/pnpm/action-setup) and [github/codeql-action](https://github.com/github/codeql-action).


Updates `pnpm/action-setup` from 4.1.0 to 4.2.0
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](https://github.com/pnpm/action-setup/compare/v4.1.0...v4.2.0)

Updates `github/codeql-action` from 3 to 4
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-10-13 14:15:58 +02:00
dependabot[bot]
7be9e9d1af chore(deps): bump actions/setup-node in the github-actions group (#9951)
Bumps the github-actions group with 1 update: [actions/setup-node](https://github.com/actions/setup-node).


Updates `actions/setup-node` from 4 to 5
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-09-08 15:34:56 +02:00
dependabot[bot]
077a569307 chore(deps): bump actions/checkout in the github-actions group (#9901)
Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout).


Updates `actions/checkout` from 4 to 5
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-09-02 17:51:20 +02:00
Brandon Cheng
0cb3b7a3e7 ci: prevent double builds for pull requests in original repo (#9614) 2025-06-08 12:22:01 +02:00
dependabot[bot]
bffe53896b chore(deps): bump pnpm/action-setup in the github-actions group (#9520)
Bumps the github-actions group with 1 update: [pnpm/action-setup](https://github.com/pnpm/action-setup).


Updates `pnpm/action-setup` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](https://github.com/pnpm/action-setup/compare/v4...v4.1.0)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-12 14:55:46 +02:00
Zoltan Kochan
57be95602b ci: test on Node.js 24 2025-05-08 15:48:02 +02:00
Brandon Cheng
34738e00e5 revert: use Git LFS for pnpm development (#9254)
* Revert "docs: update CONTRIBUTING.md for Git LFS (#8647)"

This reverts commit ccf5fbc1b2.

* Revert "chore: use Git LFS for pnpm development (#8509)"

This reverts commit 5fea44486e.
2025-03-09 22:29:36 +01:00
Zoltan Kochan
31fdf358ac ci: update pnpm/action-setup to v4.1.0 2025-02-06 22:34:42 +01:00
Zoltan Kochan
a70a355c52 ci: new versions should be tagged with latest-10
close #9031
2025-02-03 22:10:16 +01:00
Ryan
cb33ff59d2 ci: update winget releaser action (#8985) 2025-01-26 12:02:14 +01:00
Zoltan Kochan
4ca321903c ci: print only the major Node.js version in the job name 2025-01-10 13:24:05 +01:00
Zoltan Kochan
ab74e6a169 ci: pin Node.js versions
Sometimes new versions of Node.js make pnpm fail. We are spending more time than needed to investigate such issues because we cannot know that a new Node.js version got installed in CI
2025-01-09 01:56:29 +01:00
Zoltan Kochan
b8cdd8c2b1 ci: change the if conditions for branch checks 2024-11-03 02:32:37 +01:00
Zoltan Kochan
6104a2c965 ci: specifying timeouts for steps 2024-11-02 12:26:54 +01:00
Zoltan Kochan
4d18ac7a4b ci: rename audit job 2024-10-26 12:40:44 +02:00
Zoltan Kochan
d245aec4b4 ci: create a separate audit job (#8702) 2024-10-26 12:34:19 +02:00
Brandon Cheng
5fea44486e chore: use Git LFS for pnpm development (#8509)
* chore: set up git-lfs hooks

* ci: checkout lfs files on CI

According to https://github.com/actions/checkout, checkout out LFS files
defaults to false.

* chore: track .tgz files in Git LFS
2024-10-14 08:49:30 +02:00
Zoltan Kochan
fc7eed08c5 ci: update lplist location 2024-10-02 13:49:56 +02:00
Zoltan Kochan
e08c416cfd ci: install Node.js with pnpm (#8419) 2024-08-14 11:51:48 +02:00
btea
cb91ae62be chore: add packageManager field (#8399)
* chore: add `packageManager` field

* fix: ci

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2024-08-14 02:38:08 +02:00
Zoltan Kochan
7329b9afc4 ci: test on Node.js 22 (#8010) 2024-07-25 16:45:47 +02:00
dependabot[bot]
cca56c0c6c chore(deps): bump pnpm/action-setup in the github-actions group (#8078)
Bumps the github-actions group with 1 update: [pnpm/action-setup](https://github.com/pnpm/action-setup).


Updates `pnpm/action-setup` from 3.0.0 to 4.0.0
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](https://github.com/pnpm/action-setup/compare/v3.0.0...v4.0.0)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-13 16:41:49 +02:00
dependabot[bot]
f97ff6bf16 chore(deps): bump the github-actions group with 6 updates (#8008)
Bumps the github-actions group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `3` | `4` |
| [actions/setup-node](https://github.com/actions/setup-node) | `3` | `4` |
| [github/codeql-action](https://github.com/github/codeql-action) | `2` | `3` |
| [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `1` | `2` |
| [bluwy/release-for-reddit-action](https://github.com/bluwy/release-for-reddit-action) | `1` | `2` |
| [cbrgm/mastodon-github-action](https://github.com/cbrgm/mastodon-github-action) | `1` | `2` |


Updates `actions/checkout` from 3 to 4
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

Updates `actions/setup-node` from 3 to 4
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v3...v4)

Updates `github/codeql-action` from 2 to 3
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2...v3)

Updates `softprops/action-gh-release` from 1 to 2
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/v1...v2)

Updates `bluwy/release-for-reddit-action` from 1 to 2
- [Release notes](https://github.com/bluwy/release-for-reddit-action/releases)
- [Changelog](https://github.com/bluwy/release-for-reddit-action/blob/master/CHANGELOG.md)
- [Commits](https://github.com/bluwy/release-for-reddit-action/compare/v1...v2)

Updates `cbrgm/mastodon-github-action` from 1 to 2
- [Release notes](https://github.com/cbrgm/mastodon-github-action/releases)
- [Commits](https://github.com/cbrgm/mastodon-github-action/compare/v1...v2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: softprops/action-gh-release
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: bluwy/release-for-reddit-action
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: cbrgm/mastodon-github-action
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-24 15:40:29 +02:00
Zoltan Kochan
8f320421d4 ci(release): update tag 2024-04-16 12:46:09 +02:00
Zoltan Kochan
2f314ab8fe chore(release): 9.0.0-rc.2 2024-04-13 18:52:14 +02:00
Zoltan Kochan
3c7c0926f6 ci: update pnpm/action-setup to v3.0.0 2024-02-08 11:35:42 +01:00
Zoltan Kochan
7a8e342ba9 ci: update pnpm/action-setup to v3.0.0 2024-02-08 11:34:55 +01:00
Zoltan Kochan
5b671fc922 ci: use pnpm v9 2024-01-08 19:34:46 +01:00
Zoltan Kochan
43cdd87c0c feat!: drop Node.js 16 support 2024-01-08 11:57:44 +01:00