Skip to content

Commit 21de817

Browse files
MeierschlumpfMeierschlumpf
authored
chore(deps): security hardening (#4551)
1 parent b15d96e commit 21de817

File tree

6 files changed

+86
-1
lines changed

6 files changed

+86
-1
lines changed

.github/renovate.json5

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,21 @@
1515
matchUpdateTypes: ["minor", "patch", "pin", "digest"],
1616
automerge: true,
1717
},
18+
{
19+
// disallow automerge for onlyBuiltDependencies
20+
matchPackageNames: [
21+
"@tree-sitter-grammars/tree-sitter-yaml",
22+
"bcrypt",
23+
"better-sqlite3",
24+
"cpu-features",
25+
"esbuild",
26+
"sharp",
27+
"ssh2",
28+
"tree-sitter",
29+
"tree-sitter-json",
30+
],
31+
automerge: false,
32+
},
1833
],
1934
updateInternalDeps: true,
2035
rangeStrategy: "bump",

.npmrc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,4 @@
33
# @link https://docs.expo.dev/guides/monorepos/#common-issues
44
node-linker=hoisted
55
strict-peer-dependencies=false
6+
engine-strict=true

package.json

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,7 @@
5050
"conventional-changelog-conventionalcommits": "^9.1.0",
5151
"cross-env": "^10.1.0",
5252
"jsdom": "^27.2.0",
53+
"json5": "^2.2.3",
5354
"prettier": "^3.6.2",
5455
"semantic-release": "^25.0.2",
5556
"testcontainers": "^11.8.1",
@@ -60,7 +61,8 @@
6061
},
6162
"packageManager": "[email protected]",
6263
"engines": {
63-
"node": ">=24.11.1"
64+
"node": ">=24.11.1",
65+
"pnpm": ">=10.22.0"
6466
},
6567
"pnpm": {
6668
"onlyBuiltDependencies": [

pnpm-lock.yaml

Lines changed: 42 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pnpm-workspace.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,3 +2,5 @@ packages:
22
- apps/*
33
- packages/*
44
- tooling/*
5+
6+
minimumReleaseAge: 4320 # Only download deps if they are at least 3 days old (in minutes)

test/renovate.spec.ts

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
import fs from "fs/promises";
2+
import { join } from "path";
3+
import json5 from "json5";
4+
import { describe, test } from "vitest";
5+
6+
describe("Renovate configuration tests", () => {
7+
test("automerge should be disabled for onlyBuiltDependencies", async () => {
8+
const packageJson = await import("../package.json");
9+
const renovateConfig = await fs.readFile(join(__dirname, "../.github/renovate.json5"), "utf-8").then(json5.parse);
10+
const onlyBuiltDependencies = packageJson.pnpm.onlyBuiltDependencies;
11+
const automergeDisabledDeps = renovateConfig.packageRules
12+
.filter((rule: any) => rule.automerge === false)
13+
.flatMap((rule: any) => rule.matchPackageNames || []);
14+
15+
const missingDeps = onlyBuiltDependencies.filter((dep: string) => !automergeDisabledDeps.includes(dep));
16+
17+
if (missingDeps.length > 0) {
18+
throw new Error(
19+
`The following onlyBuiltDependencies are missing automerge disable rules in renovate.json5: ${missingDeps.join(", ")}`,
20+
);
21+
}
22+
});
23+
});

0 commit comments

Comments
 (0)