fix: pin @tanstack/react-router and router-plugin to safe versions#12
Merged
Conversation
The ^1.65.0 caret ranges would resolve to compromised versions (1.169.5/1.169.8 react-router, 1.167.38/1.167.41 router-plugin) on any fresh install or lockfile regeneration. Pinning to exact 1.65.0 prevents pulling the malicious releases described in the Aikido "mini Shai-Hulud / TanStack compromise" advisory. Also adds pnpm-workspace.yaml with minimumReleaseAge (1440 minutes / 24 hours) as a defense-in-depth measure against future supply chain attacks that get caught and unpublished quickly.
GitHub Actions is shutting down actions/cache v1/v2 and the toolkit cache package, which was failing CI runs. actions/checkout@v2 is also deprecated and bumped at the same time.
Deploying bling-my-deck with
|
| Latest commit: |
77aa2af
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://696eb98f.bling-my-deck.pages.dev |
| Branch Preview URL: | https://claude-fix-tanstack-vulnerab.bling-my-deck.pages.dev |
Cloudflare Pages and other CI runners default pnpm install to frozen-lockfile, which failed because the lockfile still recorded specifier "^1.65.0" for @tanstack/react-router and router-plugin while package.json now pins to "1.65.0". Regenerating the lockfile updates only the specifier strings — the resolved versions remain 1.65.0. Incidental Babel transitive dedup (7.25.7/7.25.8 entries removed, already superseded by 7.25.9/7.26.0 already present) came along for the ride. Also switches the ci workflow from "pnpm i" to "pnpm install --frozen-lockfile" so a drift between package.json and the lockfile fails CI loudly instead of silently resolving fresh versions — closing the exact path the Aikido advisory flagged as dangerous for supply chain attacks like the tanstack compromise.
pnpm 9 treats pnpm-workspace.yaml strictly as a workspace configuration and requires a "packages" field, which broke CI with "packages field missing or empty". The file is now a settings file holding minimumReleaseAge, which only pnpm 10+ understands. Matching the version Cloudflare Pages already uses (10.11.1) keeps local, CI, and deploy environments aligned. Also bumps pnpm/action-setup to v4 since v3 doesn't officially support pnpm 10.
The lint script (prettier . --write && eslint . --fix) relied on prettier resolving via a transitive dependency. pnpm 9 hoisted transitive binaries to node_modules/.bin, so the script worked incidentally; pnpm 10 no longer hoists binaries from transitives, which broke "prettier: not found" in CI after the pnpm bump. Declaring it directly (^3.3.3, the version already resolved in the lockfile so no version drift) is the correct fix regardless of pnpm version.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The ^1.65.0 caret ranges would resolve to compromised versions
(1.169.5/1.169.8 react-router, 1.167.38/1.167.41 router-plugin) on
any fresh install or lockfile regeneration. Pinning to exact 1.65.0
prevents pulling the malicious releases described in the Aikido
"mini Shai-Hulud / TanStack compromise" advisory.
Also adds pnpm-workspace.yaml with minimumReleaseAge (1440 minutes /
24 hours) as a defense-in-depth measure against future supply chain
attacks that get caught and unpublished quickly.