Merge pull request #1289 from w3bdesign/1286-pnpm-security-minimumreleaseage

Add .npmrc with security and dependency settings

Author: w3bdesign

.circleci/config.yml

@@ -41,7 +41,7 @@ jobs:
             sudo corepack prepare pnpm@latest-8 --activate
       - run:
           name: Install Dependencies
-          command: pnpm install --no-frozen-lockfile
+          command: pnpm install --frozen-lockfile
       - run:
           name: Chrome key start setup
           command: sudo apt update -y

.github/workflows/lighthouse.yml

@@ -32,7 +32,7 @@ jobs:
             ${{ runner.os }}-pnpm-store-
 
       - name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
 
       - name: Build project
         run: pnpm build

.github/workflows/pa11y.yml

@@ -38,11 +38,10 @@ jobs:
             ${{ runner.os }}-pnpm-store-
 
       - name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
 
-      - name: Install dependencies and pa11y
+      - name: Create pa11y config
         run: |
-          pnpm add -D pa11y wait-on
           # Create pa11y config file
           echo '{"chromeLaunchConfig":{"args":["--no-sandbox"]}}' > .pa11y.json
 

.github/workflows/playwright.yml

@@ -18,7 +18,7 @@ jobs:
           node-version: 24
           cache: "pnpm"
       - name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
       - name: Install Playwright Browsers
         run: pnpm exec playwright install --with-deps chromium firefox
       - name: Build the project

.npmrc

@@ -0,0 +1,19 @@
+# pnpm Security Configuration
+# Defense against supply chain attacks
+
+# Minimum Release Age: Packages must be at least 7 days old before installation
+# This prevents installing freshly compromised packages
+# Value is in minutes: 10080 = 7 days (7 * 24 * 60)
+minimum-release-age=10080
+
+# Registry configuration (using default npm registry which supports release timestamps)
+registry=https://registry.npmjs.org/
+
+# Strict peer dependencies for better dependency tree control
+strict-peer-dependencies=false
+
+# Auto-install peers to avoid manual peer dependency management
+auto-install-peers=true
+
+# Engine strict mode - fail if Node.js version doesn't match engines field
+engine-strict=true

AGENTS.md

@@ -14,6 +14,7 @@ This file provides guidance to agents when working with code in this repository.
 - **Sanity Defaults**: Hardcoded fallback values in client config (projectId: "41s7iutf", dataset: "production")
 - **E2E Test Structure**: Cypress tests in `src/e2e/cypress/`, Playwright in `src/e2e/playwright/` (not standard locations)
 - **Custom Refresh Script**: `pnpm refresh` does full cleanup including store prune and lock file removal
+- **Supply Chain Security**: 7-day minimum release age enforced via `.npmrc` and `renovate.json` - see Security section below
 
 ## Critical Commands
 

package.json

@@ -53,7 +53,7 @@
     "react-error-boundary": "^5.0.0",
     "react-hook-form": "^7.67.0",
     "react-icons": "^5.5.0",
-    "sanity": "4.19.0",
+    "sanity": "4.15.0",
     "sitemap": "^9.0.0",
     "tar-fs": "^3.1.1",
     "ts-node": "^10.9.2",
@@ -95,6 +95,7 @@
     "jest-environment-jsdom": "^30.2.0",
     "jest-extended": "^7.0.0",
     "jsdom-testing-mocks": "^1.16.0",
+    "pa11y": "^9.0.1",
     "postcss": "^8.5.6",
     "prettier": "3.7.3",
     "tailwindcss": "^4.1.17",

pnpm-lock.yaml

@@ -1,7 +1,11 @@
 {
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:recommended"
+    "config:recommended",
+    "security:openssf-scorecard"
   ],
+  "minimumReleaseAge": "7 days",
+  "internalChecksFilter": "strict",
   "ignorePresets": [
     ":prHourlyLimit2",
     ":prConcurrentLimit20"