Add Yarn/NPM security improvements with exact version pinning #63
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements comprehensive security enhancements to comply with OWASP NPM Security Cheat Sheet and Solace "Safe Use of NPM by Developers" standards. ## Critical Change: Exact Version Pinning Pinned ALL 39 dependencies from flexible ranges (^, ~) to exact versions: - Dependencies now locked to specific versions from yarn.lock - Eliminates 39 potential supply chain attack vectors - Ensures reproducible builds across all environments ## Changes Made: ### Dependency Management (package.json) - Removed ^ and ~ from all 39 dependencies - Updated to exact versions currently in yarn.lock - Added yarn audit to publish script ### Security Configuration Files - Add .yarnrc with ignore-scripts and frozen-lockfile defaults - Add .npmrc as fallback protection for npm users ### Documentation Security Updates - Update all yarn install commands to use --frozen-lockfile flag - Add comprehensive "Security Best Practices" section to README - Add security checklist to CONTRIBUTING.md ## Security Issues Resolved: ### High Severity 1. **39 flexible version ranges** - Pinned all dependencies to exact versions 2. **Unsafe installation instructions** - Updated to use --frozen-lockfile ### Medium Severity 3. **Missing .yarnrc configuration** - Added lifecycle script protection 4. **Missing .npmrc configuration** - Added NPM fallback protection 5. **No security guidance** - Added comprehensive security documentation 6. **No security check in publish** - Added yarn audit to publish script ## Testing: ### Before Changes ✅ Build successful: v0.0.83 ✅ CLI functional ### After Changes ✅ Clean install with frozen lockfile successful ✅ Lifecycle scripts correctly ignored via .yarnrc ✅ Build successful: v0.0.83 ✅ CLI fully functional ✅ All 39 dependencies use exact versions ## Files Changed: **Created (2):** - .yarnrc - Yarn security configuration - .npmrc - NPM fallback protection **Modified (4):** - package.json - Pinned 39 dependencies + added audit to publish - yarn.lock - Updated with exact version resolutions - README.md - Secure install commands + Security Best Practices section - CONTRIBUTING.md - Security checklist for contributors ## Impact: - **Breaking Changes**: None - **Backward Compatibility**: 100% maintained (uses existing locked versions) - **Functionality**: CLI works exactly as before - **Security**: 39 attack vectors eliminated 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR implements comprehensive security improvements by pinning all 39 dependencies to exact versions and adding security-focused configuration files. The changes eliminate flexible version ranges (^, ~) to prevent supply chain attacks while maintaining 100% backward compatibility by using existing versions from yarn.lock.
Key Changes:
- Pinned all 39 dependencies from flexible ranges to exact versions
- Added
.yarnrcand.npmrcconfiguration files to block lifecycle scripts and enforce frozen lockfile - Updated installation commands and added security best practices documentation
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Removed all version range operators (^, ~) and pinned 39 dependencies to exact versions; added yarn audit to publish script |
| README.md | Updated install commands to use --frozen-lockfile flag and added comprehensive Security Best Practices section |
| CONTRIBUTING.md | Added security checklist requiring audit checks, exact version pinning, and lockfile verification before commits |
| .yarnrc | Added Yarn configuration to block lifecycle scripts and enforce frozen lockfile mode |
| .npmrc | Added NPM fallback configuration with lifecycle script blocking and security settings |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "build": "tsc", | ||
| "package": "pkg package.json", | ||
| "publish": "npm run build; npm publish --access public" | ||
| "publish": "yarn audit && npm run build && npm publish --access public" |
There was a problem hiding this comment.
The publish script mixes Yarn and npm commands. Since this project uses Yarn (as indicated by yarn.lock and .yarnrc), the script should consistently use either 'yarn build' instead of 'npm run build', or use 'npm audit' instead of 'yarn audit' for consistency within the same command.
Suggested change
| "publish": "yarn audit && npm run build && npm publish --access public" | |
| "publish": "yarn audit && yarn build && yarn publish --access public" |
| ignore-scripts true | ||
|
|
||
| # Strict lockfile usage | ||
| --frozen-lockfile true |
There was a problem hiding this comment.
The configuration option '--frozen-lockfile true' uses command-line flag syntax. In .yarnrc files, this should be written as 'frozen-lockfile true' without the leading dashes.
Suggested change
| --frozen-lockfile true | |
| frozen-lockfile true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements comprehensive security enhancements to comply with the OWASP NPM Security Cheat Sheet and Solace "Safe Use of NPM by Developers" internal security standards.
Critical Change: Exact Version Pinning
Pinned ALL 39 dependencies from flexible version ranges (^, ~) to exact versions. This is the most significant security improvement:
Security Issues Resolved
🔴 High Severity (2)
11.9.0instead of^11.7.2)yarn install --frozen-lockfile🟡 Medium Severity (4)
ignore-scripts=trueand--frozen-lockfile=trueyarn auditbefore publishingChanges Made
Files Created (2)
.yarnrc- Yarn security configuration (blocks lifecycle scripts, enforces frozen lockfile).npmrc- NPM fallback protection for developers who might accidentally use npmFiles Modified (4)
package.json- Pinned all 39 dependencies to exact versions + addedyarn auditto publish scriptyarn.lock- Updated with exact version resolutionsREADME.md- Updated install commands to use--frozen-lockfile, added Security Best Practices sectionCONTRIBUTING.md- Added security checklist for contributorsTesting & Verification
Before Changes
✅ Build successful: CLI v0.0.83 functional
After Changes
✅ Clean install with
yarn install --frozen-lockfilesuccessful✅ Lifecycle scripts correctly ignored via
.yarnrc(warning message confirms)✅ Build successful: TypeScript compilation completed
✅ CLI fully functional: v0.0.83 --help works correctly
✅ All 39 dependencies confirmed using exact versions
Test Output:
Impact
Compliance
This PR ensures compliance with:
Protections Added:
Version Pinning Details
All 39 dependencies updated from flexible to exact versions:
@apidevtools/json-schema-ref-parser:^11.7.2→11.9.0@asyncapi/parser:^3.2.1→3.4.0@faker-js/faker:^8.4.1→8.4.1See commit for complete list.
References
🤖 Generated with Claude Code