Skip to content

Infrastructure Upgrade: PNPM Migration & Security Hardening#5

Merged
PatrickSys merged 3 commits intomasterfrom
chore/infrastructure-upgrade
Jan 1, 2026
Merged

Infrastructure Upgrade: PNPM Migration & Security Hardening#5
PatrickSys merged 3 commits intomasterfrom
chore/infrastructure-upgrade

Conversation

@PatrickSys
Copy link
Owner

@PatrickSys PatrickSys commented Jan 1, 2026
edited
Loading

Summary

Migrated the project to pnpm, implemented comprehensive supply chain protections, and resolved identified security vulnerabilities.

Key Changes

  • Package Management: Successfully migrated to pnpm@10.27.0.
  • Security Hardening:
    • Implemented a minimum-release-age of 1440 minutes (24-hour delay) in pnpm-workspace.yaml to mitigate "zero-day" supply chain attacks.
    • Enabled store integrity verification to ensure package authenticity.
    • Enforced the exclusive use of pnpm via the only-allow utility.
    • Integrated pnpm audit into the CI/CD pipeline for continuous vulnerability monitoring.
  • Vulnerability Resolutions:
  • Upgraded @modelcontextprotocol/sdk to version 1.25.1.
  • Updated vitest to version 4.0.16 to address the known esbuild security advisory.
  • General Fixes:
    • Resolved the TS2742 compiler error regarding Server type annotations in index.ts.

@PatrickSys
chore: migrate from npm to pnpm (Phase 1)
0c6873f 
- Enable corepack with packageManager field (pnpm@10.27.0)

- Generate pnpm-lock.yaml from package-lock.json

- Add explicit zod dependency (phantom dep exposed by pnpm strict mode)

- Add MCPServer type annotation to fix TS2742 inference error

- Update CI workflow to use pnpm/action-setup
@PatrickSys
refactor: clean up Server type annotation in index.ts
9c536b7
@PatrickSys PatrickSys changed the title Infrastructure Upgrade: PNPM Migration (Phase 1) Infrastructure Upgrade: PNPM Migration Jan 1, 2026
@PatrickSys
security: implement supply chain protections
3680360 
- Add minimumReleaseAge (24h) and store integrity checks in pnpm-workspace.yaml

- Enforce pnpm usage via only-allow preinstall script

- Add pnpm audit to CI workflow

- Resolve known vulnerabilities in @modelcontextprotocol/sdk and vitest/esbuild
@PatrickSys PatrickSys changed the title Infrastructure Upgrade: PNPM Migration Infrastructure Upgrade: PNPM Migration & Security Hardening Jan 1, 2026
@PatrickSys PatrickSys merged commit 08de9b6 into master Jan 1, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PatrickSys