Migrate frontend/cordova to pnpm 11 + add CI#47
Open
Gabrielpanga wants to merge 1 commit into
Open
Conversation
Last npm-only project in the frontend tree. Same pnpm 11
supply-chain hardening as the rest of the migrated projects.
package.json
- packageManager: pnpm@11.1.1
- engines: node >=24.0.0, pnpm >=11.0.0
- devEngines.runtime with onFail: error
- preinstall: pnpm audit && pnpm audit signatures
- lint:lockfile: pnpm install --frozen-lockfile
- lint / test / build: echo-only stubs with messages explaining why
CI can't really lint/test/build a Cordova project (www/ is plain
HTML/CSS/JS; cordova build ios needs Xcode on macOS)
pnpm-workspace.yaml — full safety stack:
- minimumReleaseAge: 20160 (14d)
- minimumReleaseAgeIgnoreMissingTime: true
- minimumReleaseAgeExclude: @pluggyai/*
- engineStrict: true
- trustPolicy: no-downgrade, trustPolicyIgnoreAfter 90d
- blockExoticSubdeps: true
- savePrefix: ""
- resolutionMode: highest
- allowBuilds: {} (no postinstall scripts in resolved tree)
.gitignore — block package-lock.json and yarn.lock
.npmrc removed
package-lock.json removed; pnpm-lock.yaml added
The previously-Dependabot-flagged transitives (lodash, @xmldom/xmldom,
braces, minimatch) are present in the dep tree only because cordova-ios
pulls them in, but the pnpm-resolved versions are all patched
(`pnpm audit` reports 0 vulnerabilities).
CI workflow: install with preinstall audit + signatures, then run the
echo-only lint/test/build for parity with the other project workflows.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Last npm-only project in the frontend tree. Brings `frontend/cordova` onto the same pnpm 11 supply-chain hardening every other migrated project uses, plus adds the per-project CI workflow.
pnpm setup
`package.json`
`pnpm-workspace.yaml` — full safety stack: `minimumReleaseAge: 20160` (14d), `engineStrict`, `trustPolicy: no-downgrade` + 90d ignore, `blockExoticSubdeps`, `savePrefix: ""`, `resolutionMode: highest`, `minimumReleaseAgeExclude: ['@pluggyai/*']`, `allowBuilds: {}`.
`.gitignore` — blocks `package-lock.json` and `yarn.lock`. `.npmrc` removed.
Why no overrides / minimumReleaseAgeExclude entries for the source-level findings
Dependabot's open alerts against this project's old `package-lock.json` flagged `lodash`, `@xmldom/xmldom`, `braces`, `minimatch` as high. All four are transitives of `cordova-ios@7.0.0` (via `cordova-common`, `plist`, `fast-glob`, `micromatch`). With pnpm's fresh resolution they pick the latest patched versions automatically — `pnpm audit` against the new `pnpm-lock.yaml` reports 0 vulnerabilities, no manual overrides needed.
CI workflow
`.github/workflows/cordova-ci.yml` — path-filtered, concurrency-cancelled. Same shape as the other per-project workflows (`pnpm install --frozen-lockfile` → lint → test → build). The three echo steps are deliberate placeholders; the actual gate is the `preinstall` audit + signature check.
Verification