Skip to content

chore(ui): upgrade pnpm to 11 and harden supply-chain defaults #11225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pfe-nazaries merged 11 commits into from
May 28, 2026

ci: re-trigger workflows

f498250
Select commit
Loading
Failed to load commit list.
Merged

chore(ui): upgrade pnpm to 11 and harden supply-chain defaults #11225

ci: re-trigger workflows
f498250
Select commit
Loading
Failed to load commit list.
StepSecurity Actions Security / StepSecurity Required Checks succeeded May 27, 2026 in 0s

StepSecurity Required Checks

Finished StepSecurity Required Checks

  • PyPI Package Cooldown Check - Fails if any PyPI package version in the PR was released within the configured cooldown period
  • Pwn Request Vulnerabilities Check - Checks for Pwn Request vulnerabilities in the PR via risky triggers
  • Script Injection Check - Checks for script injection vulnerabilities in the PR
  • NPM Compromised Packages Check - Checks for compromised npm package versions in the PR
  • NPM Package Cooldown Check - Fails if any package version in the PR was released within the configured cooldown period, helping to avoid brand-new (and potentially unreviewed or malicious) releases
  • PyPI Compromised Packages Check - Checks for compromised PyPI package versions in the PR

Details

✅ PyPI Compromised Packages Check

No compromised PyPI package versions found in current PR.

✅ PyPI Package Cooldown Check

No PyPI package upgrades to recent releases found in current PR.

✅ NPM Compromised Packages Check

No Compromised npm packages are added in current PR.

✅ NPM Package Cooldown Check

No npm package upgrades to recent releases found in current PR.

The following npm packages are inspected in current PR

Package Name Previous Version Current Version file Current Version Release Date
pnpm 11.1.3 ui/package.json 2026-05-18T14:07:05Z
express-rate-limit 8.5.1 ui/pnpm-lock.yaml 2026-05-06T14:23:28Z
express-rate-limit 8.5.1 ui/pnpm-workspace.yaml 2026-05-06T14:23:28Z
hono 4.12.18 ui/pnpm-workspace.yaml 2026-05-06T11:32:30Z
hono 4.12.18 4.12.18 ui/pnpm-lock.yaml 2026-05-06T11:32:30Z
uuid 11.1.1 ui/pnpm-workspace.yaml 2026-04-29T15:17:24Z
@hono/node-server 1.19.14 ui/pnpm-workspace.yaml 2026-04-13T01:20:00Z
lodash-es 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:04:15Z
lodash 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:01:20Z
serialize-javascript 7.0.5 7.0.5 ui/pnpm-lock.yaml 2026-03-25T14:24:36Z
serialize-javascript 7.0.5 ui/pnpm-workspace.yaml 2026-03-25T14:24:36Z
ajv 8.18.0 ui/pnpm-lock.yaml 2026-02-14T15:41:17Z
qs 6.14.2 ui/pnpm-workspace.yaml 2026-02-11T23:39:28Z
@isaacs/brace-expansion 5.0.1 ui/pnpm-workspace.yaml 2026-02-03T17:40:11Z
jsdom 27.4.0(@noble/hashes@1.8.0) 27.4.0 ui/pnpm-lock.yaml 2025-12-26T10:56:39Z
html-encoding-sniffer 6.0.0(@noble/hashes@1.8.0) 6.0.0 ui/pnpm-lock.yaml 2025-12-26T03:54:44Z
@internationalized/date 3.10.0 ui/pnpm-workspace.yaml 2025-10-02T19:29:17Z
@react-types/shared 3.26.0 ui/pnpm-workspace.yaml 2024-11-21T16:21:23Z
✅ Pwn Request Vulnerabilities Check

No Pwn Request vulnerabilities found in this PR.

✅ Script Injection Vulnerabilities Check

No Script Injection vulnerabilities found in this PR.

⏲️ History

Previous invocation results of same check:

✅ NPM Compromised Packages Check

No Compromised npm packages are added in current PR.

✅ PyPI Compromised Packages Check

No compromised PyPI package versions found in current PR.

✅ PyPI Package Cooldown Check

No PyPI package upgrades to recent releases found in current PR.

✅ NPM Package Cooldown Check

No npm package upgrades to recent releases found in current PR.

The following npm packages are inspected in current PR

Package Name Previous Version Current Version file Current Version Release Date
pnpm 11.1.3 ui/package.json 2026-05-18T14:07:05Z
express-rate-limit 8.5.1 ui/pnpm-workspace.yaml 2026-05-06T14:23:28Z
express-rate-limit 8.5.1 ui/pnpm-lock.yaml 2026-05-06T14:23:28Z
hono 4.12.18 ui/pnpm-workspace.yaml 2026-05-06T11:32:30Z
hono 4.12.18 4.12.18 ui/pnpm-lock.yaml 2026-05-06T11:32:30Z
uuid 11.1.1 ui/pnpm-workspace.yaml 2026-04-29T15:17:24Z
@hono/node-server 1.19.14 ui/pnpm-workspace.yaml 2026-04-13T01:20:00Z
lodash-es 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:04:15Z
lodash 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:01:20Z
serialize-javascript 7.0.5 ui/pnpm-workspace.yaml 2026-03-25T14:24:36Z
serialize-javascript 7.0.5 7.0.5 ui/pnpm-lock.yaml 2026-03-25T14:24:36Z
ajv 8.18.0 ui/pnpm-lock.yaml 2026-02-14T15:41:17Z
qs 6.14.2 ui/pnpm-workspace.yaml 2026-02-11T23:39:28Z
@isaacs/brace-expansion 5.0.1 ui/pnpm-workspace.yaml 2026-02-03T17:40:11Z
jsdom 27.4.0(@noble/hashes@1.8.0) 27.4.0 ui/pnpm-lock.yaml 2025-12-26T10:56:39Z
html-encoding-sniffer 6.0.0(@noble/hashes@1.8.0) 6.0.0 ui/pnpm-lock.yaml 2025-12-26T03:54:44Z
@internationalized/date 3.10.0 ui/pnpm-workspace.yaml 2025-10-02T19:29:17Z
@react-types/shared 3.26.0 ui/pnpm-workspace.yaml 2024-11-21T16:21:23Z
✅ Pwn Request Vulnerabilities Check

No Pwn Request vulnerabilities found in this PR.

✅ Script Injection Vulnerabilities Check

No Script Injection vulnerabilities found in this PR.

⏲️ History

Previous invocation results of same check:

✅ NPM Compromised Packages Check

No Compromised npm packages are added in current PR.

✅ PyPI Compromised Packages Check

No compromised PyPI package versions found in current PR.

✅ PyPI Package Cooldown Check

No PyPI package upgrades to recent releases found in current PR.

✅ NPM Package Cooldown Check

No npm package upgrades to recent releases found in current PR.

The following npm packages are inspected in current PR

Package Name Previous Version Current Version file Current Version Release Date
pnpm 11.1.3 ui/package.json 2026-05-18T14:07:05Z
express-rate-limit 8.5.1 ui/pnpm-workspace.yaml 2026-05-06T14:23:28Z
express-rate-limit 8.5.1 ui/pnpm-lock.yaml 2026-05-06T14:23:28Z
hono 4.12.18 ui/pnpm-workspace.yaml 2026-05-06T11:32:30Z
hono 4.12.18 4.12.18 ui/pnpm-lock.yaml 2026-05-06T11:32:30Z
uuid 11.1.1 ui/pnpm-workspace.yaml 2026-04-29T15:17:24Z
@hono/node-server 1.19.14 ui/pnpm-workspace.yaml 2026-04-13T01:20:00Z
lodash-es 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:04:15Z
lodash 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:01:20Z
serialize-javascript 7.0.5 ui/pnpm-workspace.yaml 2026-03-25T14:24:36Z
serialize-javascript 7.0.5 7.0.5 ui/pnpm-lock.yaml 2026-03-25T14:24:36Z
ajv 8.18.0 ui/pnpm-lock.yaml 2026-02-14T15:41:17Z
qs 6.14.2 ui/pnpm-workspace.yaml 2026-02-11T23:39:28Z
@isaacs/brace-expansion 5.0.1 ui/pnpm-workspace.yaml 2026-02-03T17:40:11Z
jsdom 27.4.0(@noble/hashes@1.8.0) 27.4.0 ui/pnpm-lock.yaml 2025-12-26T10:56:39Z
html-encoding-sniffer 6.0.0(@noble/hashes@1.8.0) 6.0.0 ui/pnpm-lock.yaml 2025-12-26T03:54:44Z
@internationalized/date 3.10.0 ui/pnpm-workspace.yaml 2025-10-02T19:29:17Z
@react-types/shared 3.26.0 ui/pnpm-workspace.yaml 2024-11-21T16:21:23Z
✅ Script Injection Vulnerabilities Check

No Script Injection vulnerabilities found in this PR.

✅ Pwn Request Vulnerabilities Check

No Pwn Request vulnerabilities found in this PR.

⏲️ History

Previous invocation results of same check:

✅ NPM Compromised Packages Check

No Compromised npm packages are added in current PR.

✅ PyPI Package Cooldown Check

No PyPI package upgrades to recent releases found in current PR.

✅ PyPI Compromised Packages Check

No compromised PyPI package versions found in current PR.

✅ NPM Package Cooldown Check

No npm package upgrades to recent releases found in current PR.

The following npm packages are inspected in current PR

Package Name Previous Version Current Version file Current Version Release Date
pnpm 11.1.3 ui/package.json 2026-05-18T14:07:05Z
express-rate-limit 8.5.1 ui/pnpm-workspace.yaml 2026-05-06T14:23:28Z
express-rate-limit 8.5.1 ui/pnpm-lock.yaml 2026-05-06T14:23:28Z
hono 4.12.18 ui/pnpm-workspace.yaml 2026-05-06T11:32:30Z
hono 4.12.18 4.12.18 ui/pnpm-lock.yaml 2026-05-06T11:32:30Z
uuid 11.1.1 ui/pnpm-workspace.yaml 2026-04-29T15:17:24Z
@hono/node-server 1.19.14 ui/pnpm-workspace.yaml 2026-04-13T01:20:00Z
lodash-es 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:04:15Z
lodash 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:01:20Z
serialize-javascript 7.0.5 ui/pnpm-workspace.yaml 2026-03-25T14:24:36Z
serialize-javascript 7.0.5 7.0.5 ui/pnpm-lock.yaml 2026-03-25T14:24:36Z
ajv 8.18.0 ui/pnpm-lock.yaml 2026-02-14T15:41:17Z
qs 6.14.2 ui/pnpm-workspace.yaml 2026-02-11T23:39:28Z
@isaacs/brace-expansion 5.0.1 ui/pnpm-workspace.yaml 2026-02-03T17:40:11Z
jsdom 27.4.0(@noble/hashes@1.8.0) 27.4.0 ui/pnpm-lock.yaml 2025-12-26T10:56:39Z
html-encoding-sniffer 6.0.0(@noble/hashes@1.8.0) 6.0.0 ui/pnpm-lock.yaml 2025-12-26T03:54:44Z
@internationalized/date 3.10.0 ui/pnpm-workspace.yaml 2025-10-02T19:29:17Z
@react-types/shared 3.26.0 ui/pnpm-workspace.yaml 2024-11-21T16:21:23Z
✅ Script Injection Vulnerabilities Check

No Script Injection vulnerabilities found in this PR.

✅ Pwn Request Vulnerabilities Check

No Pwn Request vulnerabilities found in this PR.

⏲️ History

Previous invocation results of same check:

✅ NPM Compromised Packages Check

No Compromised npm packages are added in current PR.

✅ PyPI Compromised Packages Check

No compromised PyPI package versions found in current PR.

✅ PyPI Package Cooldown Check

No PyPI package upgrades to recent releases found in current PR.

✅ NPM Package Cooldown Check

No npm package upgrades to recent releases found in current PR.

The following npm packages are inspected in current PR

Package Name Previous Version Current Version file Current Version Release Date
pnpm 11.1.3 ui/package.json 2026-05-18T14:07:05Z
express-rate-limit 8.5.1 ui/pnpm-workspace.yaml 2026-05-06T14:23:28Z
express-rate-limit 8.5.1 ui/pnpm-lock.yaml 2026-05-06T14:23:28Z
hono 4.12.18 ui/pnpm-workspace.yaml 2026-05-06T11:32:30Z
hono 4.12.18 4.12.18 ui/pnpm-lock.yaml 2026-05-06T11:32:30Z
uuid 11.1.1 ui/pnpm-workspace.yaml 2026-04-29T15:17:24Z
@hono/node-server 1.19.14 ui/pnpm-workspace.yaml 2026-04-13T01:20:00Z
lodash-es 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:04:15Z
lodash 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:01:20Z
serialize-javascript 7.0.5 ui/pnpm-workspace.yaml 2026-03-25T14:24:36Z
serialize-javascript 7.0.5 7.0.5 ui/pnpm-lock.yaml 2026-03-25T14:24:36Z
ajv 8.18.0 ui/pnpm-lock.yaml 2026-02-14T15:41:17Z
qs 6.14.2 ui/pnpm-workspace.yaml 2026-02-11T23:39:28Z
@isaacs/brace-expansion 5.0.1 ui/pnpm-workspace.yaml 2026-02-03T17:40:11Z
jsdom 27.4.0(@noble/hashes@1.8.0) 27.4.0 ui/pnpm-lock.yaml 2025-12-26T10:56:39Z
html-encoding-sniffer 6.0.0(@noble/hashes@1.8.0) 6.0.0 ui/pnpm-lock.yaml 2025-12-26T03:54:44Z
@internationalized/date 3.10.0 ui/pnpm-workspace.yaml 2025-10-02T19:29:17Z
@react-types/shared 3.26.0 ui/pnpm-workspace.yaml 2024-11-21T16:21:23Z
✅ Script Injection Vulnerabilities Check

No Script Injection vulnerabilities found in this PR.

✅ Pwn Request Vulnerabilities Check

No Pwn Request vulnerabilities found in this PR.

⏲️ History

Previous invocation results of same check:

✅ PyPI Compromised Packages Check

No compromised PyPI package versions found in current PR.

✅ PyPI Package Cooldown Check

No PyPI package upgrades to recent releases found in current PR.

✅ NPM Compromised Packages Check

No Compromised npm packages are added in current PR.

✅ NPM Package Cooldown Check

No npm package upgrades to recent releases found in current PR.

The following npm packages are inspected in current PR

Package Name Previous Version Current Version file Current Version Release Date
pnpm 11.1.3 ui/package.json 2026-05-18T14:07:05Z
express-rate-limit 8.5.1 ui/pnpm-workspace.yaml 2026-05-06T14:23:28Z
express-rate-limit 8.5.1 ui/pnpm-lock.yaml 2026-05-06T14:23:28Z
hono 4.12.18 ui/pnpm-workspace.yaml 2026-05-06T11:32:30Z
hono 4.12.18 4.12.18 ui/pnpm-lock.yaml 2026-05-06T11:32:30Z
uuid 11.1.1 ui/pnpm-workspace.yaml 2026-04-29T15:17:24Z
@hono/node-server 1.19.14 ui/pnpm-workspace.yaml 2026-04-13T01:20:00Z
lodash-es 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:04:15Z
lodash 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:01:20Z
serialize-javascript 7.0.5 ui/pnpm-workspace.yaml 2026-03-25T14:24:36Z
serialize-javascript 7.0.5 7.0.5 ui/pnpm-lock.yaml 2026-03-25T14:24:36Z
ajv 8.18.0 ui/pnpm-lock.yaml 2026-02-14T15:41:17Z
qs 6.14.2 ui/pnpm-workspace.yaml 2026-02-11T23:39:28Z
@isaacs/brace-expansion 5.0.1 ui/pnpm-workspace.yaml 2026-02-03T17:40:11Z
jsdom 27.4.0(@noble/hashes@1.8.0) 27.4.0 ui/pnpm-lock.yaml 2025-12-26T10:56:39Z
html-encoding-sniffer 6.0.0(@noble/hashes@1.8.0) 6.0.0 ui/pnpm-lock.yaml 2025-12-26T03:54:44Z
@internationalized/date 3.10.0 ui/pnpm-workspace.yaml 2025-10-02T19:29:17Z
@react-types/shared 3.26.0 ui/pnpm-workspace.yaml 2024-11-21T16:21:23Z
✅ Script Injection Vulnerabilities Check

No Script Injection vulnerabilities found in this PR.

✅ Pwn Request Vulnerabilities Check

No Pwn Request vulnerabilities found in this PR.

⏲️ History

Previous invocation results of same check:

✅ NPM Compromised Packages Check

No Compromised npm packages are added in current PR.

✅ PyPI Compromised Packages Check

No compromised PyPI package versions found in current PR.

✅ PyPI Package Cooldown Check

No PyPI package upgrades to recent releases found in current PR.

✅ NPM Package Cooldown Check

No npm package upgrades to recent releases found in current PR.

The following npm packages are inspected in current PR

Package Name Previous Version Current Version file Current Version Release Date
pnpm 11.1.3 ui/package.json 2026-05-18T14:07:05Z
express-rate-limit 8.5.1 ui/pnpm-lock.yaml 2026-05-06T14:23:28Z
express-rate-limit 8.5.1 ui/pnpm-workspace.yaml 2026-05-06T14:23:28Z
hono 4.12.18 4.12.18 ui/pnpm-lock.yaml 2026-05-06T11:32:30Z
hono 4.12.18 ui/pnpm-workspace.yaml 2026-05-06T11:32:30Z
uuid 11.1.1 ui/pnpm-workspace.yaml 2026-04-29T15:17:24Z
@hono/node-server 1.19.14 ui/pnpm-workspace.yaml 2026-04-13T01:20:00Z
lodash-es 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:04:15Z
lodash 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:01:20Z
serialize-javascript 7.0.5 7.0.5 ui/pnpm-lock.yaml 2026-03-25T14:24:36Z
serialize-javascript 7.0.5 ui/pnpm-workspace.yaml 2026-03-25T14:24:36Z
ajv 8.18.0 ui/pnpm-lock.yaml 2026-02-14T15:41:17Z
qs 6.14.2 ui/pnpm-workspace.yaml 2026-02-11T23:39:28Z
@isaacs/brace-expansion 5.0.1 ui/pnpm-workspace.yaml 2026-02-03T17:40:11Z
jsdom 27.4.0(@noble/hashes@1.8.0) 27.4.0 ui/pnpm-lock.yaml 2025-12-26T10:56:39Z
html-encoding-sniffer 6.0.0(@noble/hashes@1.8.0) 6.0.0 ui/pnpm-lock.yaml 2025-12-26T03:54:44Z
@internationalized/date 3.10.0 ui/pnpm-workspace.yaml 2025-10-02T19:29:17Z
@react-types/shared 3.26.0 ui/pnpm-workspace.yaml 2024-11-21T16:21:23Z
✅ Script Injection Vulnerabilities Check

No Script Injection vulnerabilities found in this PR.

✅ Pwn Request Vulnerabilities Check

No Pwn Request vulnerabilities found in this PR.

⏲️ History

Previous invocation results of same check:

✅ NPM Compromised Packages Check

No Compromised npm packages are added in current PR.

✅ PyPI Compromised Packages Check

No compromised PyPI package versions found in current PR.

✅ PyPI Package Cooldown Check

No PyPI package upgrades to recent releases found in current PR.

✅ NPM Package Cooldown Check

No npm package upgrades to recent releases found in current PR.

The following npm packages are inspected in current PR

Package Name Previous Version Current Version file Current Version Release Date
pnpm 11.1.3 ui/package.json 2026-05-18T14:07:05Z
express-rate-limit 8.5.1 ui/pnpm-lock.yaml 2026-05-06T14:23:28Z
express-rate-limit 8.5.1 ui/pnpm-workspace.yaml 2026-05-06T14:23:28Z
hono 4.12.18 4.12.18 ui/pnpm-lock.yaml 2026-05-06T11:32:30Z
hono 4.12.18 ui/pnpm-workspace.yaml 2026-05-06T11:32:30Z
uuid 11.1.1 ui/pnpm-workspace.yaml 2026-04-29T15:17:24Z
@hono/node-server 1.19.14 ui/pnpm-workspace.yaml 2026-04-13T01:20:00Z
lodash-es 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:04:15Z
lodash 4.18.1 ui/pnpm-workspace.yaml 2026-04-01T21:01:20Z
serialize-javascript 7.0.5 7.0.5 ui/pnpm-lock.yaml 2026-03-25T14:24:36Z
serialize-javascript 7.0.5 ui/pnpm-workspace.yaml 2026-03-25T14:24:36Z
ajv 8.18.0 ui/pnpm-lock.yaml 2026-02-14T15:41:17Z
qs 6.14.2 ui/pnpm-workspace.yaml 2026-02-11T23:39:28Z
@isaacs/brace-expansion 5.0.1 ui/pnpm-workspace.yaml 2026-02-03T17:40:11Z
jsdom 27.4.0(@noble/hashes@1.8.0) 27.4.0 ui/pnpm-lock.yaml 2025-12-26T10:56:39Z
html-encoding-sniffer 6.0.0(@noble/hashes@1.8.0) 6.0.0 ui/pnpm-lock.yaml 2025-12-26T03:54:44Z
@internationalized/date 3.10.0 ui/pnpm-workspace.yaml 2025-10-02T19:29:17Z
@react-types/shared 3.26.0 ui/pnpm-workspace.yaml 2024-11-21T16:21:23Z
✅ Script Injection Vulnerabilities Check

No Script Injection vulnerabilities found in this PR.

✅ Pwn Request Vulnerabilities Check

No Pwn Request vulnerabilities found in this PR.

⏲️ History

Previous invocation results of same check:

View more details on StepSecurity Actions Security