Skip to content

Feat: Enforce pnpm usage#168

Merged
Olmo Maldonado (ibolmo) merged 4 commits intomainfrom
sec-disallow-npm
Apr 2, 2026
Merged

Feat: Enforce pnpm usage#168
Olmo Maldonado (ibolmo) merged 4 commits intomainfrom
sec-disallow-npm

Conversation

@ibolmo
Copy link
Copy Markdown
Contributor

@ibolmo Olmo Maldonado (ibolmo) commented Apr 1, 2026

Add CI workflow and package.json configurations to ensure pnpm is used for package management across the repository. This includes rejecting npm lockfiles and specifying pnpm as the required package manager in package.json files.

@ibolmo
Feat: Enforce pnpm usage
17e4688 
Add CI workflow and package.json configurations to ensure pnpm is used
for package management across the repository. This includes rejecting
npm lockfiles and specifying pnpm as the required package manager in
`package.json` files.
@ibolmo
feat: Remove package-lock.json
a4f80e6 
The `package-lock.json` file is no longer needed.
@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 1, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​google/​genai@​1.48.07510010098100
Addednpm/​vitest@​1.6.1961007999100
Addednpm/​vite-plugin-top-level-await@​1.6.0991009981100
Addednpm/​tsx@​4.20.61001008185100
Addednpm/​vite-plugin-wasm@​3.5.0991009185100
Addednpm/​typescript@​5.9.31001009010090
Updatednpm/​@​aws-sdk/​client-bedrock-runtime@​3.957.0 ⏵ 3.1022.098100100 +198 +1100

View full report

@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 1, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm vite is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: pnpm-lock.yamlnpm/vitest@1.6.1npm/vitest@3.2.4npm/vite-plugin-wasm@3.5.0npm/vite-plugin-top-level-await@1.6.0npm/vite@5.4.21

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@5.4.21. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@ibolmo
Refactor typescript example to use workspace protocol
a4eb1d5 
This updates the `@braintrust/lingua` dependency in the
`examples/typescript`
package.json to use `workspace:*` instead of a file path. This allows
pnpm
to correctly link the local development version of the lingua bindings
during development and testing.
@ibolmo
Merge remote-tracking branch 'origin/main' into sec-disallow-npm
c017023
@ibolmo Olmo Maldonado (ibolmo) merged commit 5d23341 into main Apr 2, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AbhiPrasad Abhijeet Prasad (AbhiPrasad) AbhiPrasad approved these changes

Assignees

@ibolmo Olmo Maldonado (ibolmo)

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ibolmo @AbhiPrasad