mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-06-01 12:41:16 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
dependabot/github_actions/github-actions-48d2ea223b
pnpm/deny.toml
Zoltan Kochan 763ddf1c99 chore(pacquet): wire pacquet workflows into monorepo (#11635) 
* chore(pacquet): wire pacquet workflows into monorepo

Move Cargo workspace, Rust toolchain configs, justfile, composite actions,
and 7 workflow files out of `pacquet/` and up to the repo root so:

  - cargo / just / taplo run from repo root, the way the rest of the
    monorepo's tooling does
  - GitHub Actions actually discovers the workflows (it only reads
    `.github/workflows/` at the repo root)

Workflows are prefixed with `pacquet-` and renamed to "Pacquet ..." so
they don't collide with the existing pnpm CI. Path filters are scoped
to `pacquet/**` so they don't trigger on every commit. The cargo entry
from pacquet's standalone `dependabot.yml` is folded into the root one;
pacquet's `CODEOWNERS` and `pull_request_template.md` are dropped because
the root copies supersede them.

Path rewrites:
  - `Cargo.toml` workspace members → `pacquet/crates/*`, `pacquet/tasks/*`
  - all path-deps in `[workspace.dependencies]` → `pacquet/...`
  - `justfile` recipes (`install`, `install-hooks`) point at `pacquet/...`
  - `.taplo.toml` include globs → `pacquet/crates/*/*.toml`, `pacquet/tasks/*/*.toml`
  - `pacquet/npm/pacquet/scripts/generate-packages.mjs` REPO_ROOT walks one
    more level up
  - workflow `paths:` filters, `hashFiles(...)`, and shell paths all updated

Verified: `cargo metadata` resolves the workspace, `cargo fmt --check`
clean, `taplo format --check` picks up all 26 Cargo.tomls, `actionlint`
reports no new issues (the `type:`-on-input warnings on the rustup action
predate this move).

* chore(pacquet): drop pnpm version pin from pacquet CI workflows

The monorepo's root `package.json` declares `pnpm@11.1.1` under
`packageManager`, which conflicts with the workflows' explicit
`version: 11.0.0-rc.5` and trips `pnpm/action-setup` ERR_PNPM_BAD_PM_VERSION.

The pin was a pacquet-era workaround for the v9 lockfile while pnpm 11
was still pre-release. Stable 11.x writes v9 too, so let action-setup
read the version from `packageManager` like every other workflow in
this repo does.

* chore(pacquet): use pnpm/setup matching the rest of the monorepo

Replaces `pnpm/action-setup@v6` with the same `pnpm/setup@b1cac3...`
SHA the rest of pnpm/pnpm uses (release.yml, test.yml, ci.yml,
benchmark.yml, audit.yml). Reads pnpm version from `packageManager`
in root package.json, and skips the implicit `pnpm install` since
pacquet does its own scoped install via `just install` (which only
touches `pacquet/tasks/registry-mock/`).

The release workflow now also installs Node via the same action
(`runtime: node@22`) instead of via `pnpm runtime -g set node 22`,
since pnpm/setup handles runtimes in one step.

* chore(pacquet): tighten permissions and Dependabot cooldown

Address zizmor warnings on the pacquet CI changes:

  - `dependabot.yml`: the cargo entry I added in the previous commit
    inherited from pacquet's standalone repo and is missing the
    `cooldown: default-days: 7` the github-actions entry uses. Add it
    so cargo and github-actions debounce updates consistently.

  - `pacquet-ci.yml`, `pacquet-codecov.yml`, `pacquet-cargo-unused.yml`
    lacked a top-level `permissions:` block, so GITHUB_TOKEN inherited
    the repo default. Declare `contents: read` — every job in these
    workflows only reads the repo and runs local checks.

The other four pacquet workflows already declare permissions
explicitly (integrated-benchmark/comment, micro-benchmark, release).

* chore(pacquet): add "reimagining" to cspell dictionary

cspell at the repo root scans all `**/README.md` and was rejecting
`pacquet/README.md` and `pacquet/npm/pacquet/README.md`, which describe
pacquet as "not a reimagining of pnpm." Add the word to the existing
allow-list rather than rewording two READMEs imported from a separate
repo.

* fix(pacquet): prefix workspace-relative paths with pacquet/

Two Rust source files looked up paths off the cargo workspace root
(\`cargo locate-project --workspace\`), which now resolves to the
monorepo root rather than the pacquet directory. Add the \`pacquet/\`
prefix:

  - \`tasks/registry-mock/src/dirs.rs\` — \`registry_mock()\` was
    pointing the node launcher at \`<repo>/tasks/registry-mock/launch.mjs\`
    instead of \`<repo>/pacquet/tasks/registry-mock/launch.mjs\`, which
    failed every Pacquet CI test job ("Cannot find module ...launch.mjs").
  - \`tasks/micro-benchmark/src/main.rs\` — same idea for the
    fixtures folder.
2026-05-14 18:17:45 +02:00

107 lines
4.2 KiB
TOML
Raw Permalink Blame History

# Configuration for cargo-deny (https://embarkstudios.github.io/cargo-deny/).
# The schema evolves fast; fields follow the 0.19+ format.
# --- Graph ---------------------------------------------------------------
[graph]
targets = []
all-features = false
no-default-features = false
# --- Output --------------------------------------------------------------
[output]
feature-depth = 1
# --- Advisories ----------------------------------------------------------
# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
[advisories]
db-path = "~/.cargo/advisory-db"
db-urls = ["https://github.com/rustsec/advisory-db"]
# Scope for RUSTSEC unmaintained advisories.
# One of "all", "workspace", "transitive", "none".
unmaintained = "workspace"
# yanked-crates check: "deny" | "warn" | "allow"
yanked = "warn"
ignore = [
# hickory-proto 0.25.2 is pulled in transitively through reqwest 0.13.x ->
# hickory-resolver 0.25.x. The reqwest 0.13 line has not migrated to
# hickory-proto 0.26, so `cargo update` cannot resolve either advisory; the
# only paths forward are an upstream reqwest release on hickory 0.26 or
# dropping the `hickory-dns` reqwest feature, which would regress the macOS
# `mDNSResponder` / `EAI_NONAME` workaround landed in #302. Revisit when
# reqwest moves to hickory 0.26.
#
# NSEC3 closest-encloser proof unbounded loop in `DnssecDnsHandle`. The
# vulnerable path is only linked when hickory-proto is built with the
# `dnssec-ring` or `dnssec-aws-lc-rs` Cargo feature; reqwest's `hickory-dns`
# feature does not enable either, so the affected code is unreachable in
# pacquet. The advisory itself notes "No safe upgrade is available" for the
# 0.25 line.
{ id = "RUSTSEC-2026-0118", reason = "DNSSEC validation path is not linked: reqwest's `hickory-dns` feature does not enable hickory-proto's `dnssec-ring`/`dnssec-aws-lc-rs` features, and no fix exists on the 0.25 line." },
# O(n²) name compression in `BinEncoder` during DNS message encoding.
# Reachability is bounded: the BinEncoder is only invoked when reqwest's
# `hickory-dns` resolver builds outbound DNS queries for the registry
# hostnames pacquet resolves, which originate from `.npmrc` and so can be
# attacker-influenced in an untrusted-checkout / untrusted-CI scenario. We
# accept this temporary DoS risk because no upgrade is reachable: reqwest
# 0.13.x (latest 0.13.3) is locked to `hickory-resolver` 0.25, and the fix
# ships only in `hickory-proto` 0.26.1+. Revisit when reqwest moves to
# hickory 0.26.
{ id = "RUSTSEC-2026-0119", reason = "Temporary risk acceptance: reqwest 0.13.x (latest 0.13.3) is locked to hickory-resolver 0.25 and no release consumes hickory-proto 0.26.1+ yet; revisit on reqwest upgrade." },
]
# --- Licenses ------------------------------------------------------------
# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
[licenses]
allow = [
"MIT",
"MPL-2.0", # required by mockito, used by crates/tarball tests and tasks/micro-benchmark
"Apache-2.0",
"Unicode-3.0", # newer ICU crates switched from Unicode-DFS-2016 to this
"Unicode-DFS-2016",
"BSD-3-Clause",
"BSL-1.0",
"CDLA-Permissive-2.0", # `webpki-root-certs`, pulled in by reqwest's `rustls` feature
"ISC",
"Zlib", # required by foldhash, a transitive dep of rusqlite
]
confidence-threshold = 0.8
exceptions = []
[[licenses.clarify]]
name = "ring"
version = "*"
expression = "MIT AND ISC AND OpenSSL"
license-files = [
{ path = "LICENSE", hash = 0xbd0eed23 },
]
[licenses.private]
ignore = false
registries = []
# --- Bans ----------------------------------------------------------------
# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
[bans]
multiple-versions = "warn"
wildcards = "allow"
highlight = "all"
workspace-default-features = "allow"
external-default-features = "allow"
allow = []
deny = []
skip = []
skip-tree = []
# --- Sources -------------------------------------------------------------
# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
[sources]
unknown-registry = "warn"
unknown-git = "warn"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []
[sources.allow-org]
github = []
gitlab = []
bitbucket = []
Reference in New Issue View Git Blame Copy Permalink