chore: migrate node backend from npm to pnpm with supply chain hardening#86
Merged
Conversation
- Pin pnpm@11.12.0 via packageManager field - Replace package-lock.json with pnpm-lock.yaml (pnpm import; versions preserved) - Add pnpm-workspace.yaml supply-chain block: minimumReleaseAge (7d), trustPolicy no-downgrade, allowBuilds (sqlite3 allowed, esbuild blocked) - Bootstrap pnpm via corepack in script/node setup/start wrappers - Update node/README migration commands to pnpm Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…w syntax, workspace comments Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…download) Corepack fetches the pinned pnpm from registry.npmjs.org, which the Socket firewall blocks — pnpm@11.12.0 forced an uncached download that failed on Intercom machines. 10.23.0 (no integrity hash) matches the merged frontend-minicom / frontend-minicom-public migrations and is pre-cached in the standard Intercom dev env, so corepack never hits the network. Also drop the redundant `corepack prepare --activate` from the bootstrap scripts. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
- Regenerate pnpm-lock.yaml from main's lockfile, capturing morgan ^1.11.0 - package-lock.json stays removed (pnpm migration) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Interview candidates are external; require only pnpm, not corepack + pnpm. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
87b4175 to
3b73960
Compare
patocallaghan
approved these changes
Jul 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.


Why?
Standardise the
node/backend on pnpm for a stricter, non-hoisted dependency graph (no phantom dependencies) plus supply-chain hardening: install-time build scripts blocked by default, a package-provenance policy, and a minimum-release-age quarantine window.node/is the only JavaScript project in this repo. Follows the pattern established by the mergedfrontend-minicom-publicmigration.How?
The lockfile was generated with
pnpm importfrompackage-lock.json, preserving every resolved version exactly (no drift).packageManageris pinned topnpm@10.23.0, matching the mergedfrontend-minicom/frontend-minicom-publicreference migrations and the siblingminicomrepo. All supply-chain settings live inpnpm-workspace.yaml(notpackage.json#pnpm, where several are silently inert):minimumReleaseAge(7 days),trustPolicy: no-downgrade, and explicit built-dependency lists. Thescript/nodelaunchers andREADMEwere updated to pnpm.Decisions
sqlite3build script is allowed to run (onlyBuiltDependencies). It fetches the native binding at install time and the app's Sequelize DB layer is non-functional without it. It's the legitimateTryGhost/node-sqlite3; Socket scores supplyChain 99 / vulnerability 100. Every other build script stays blocked.esbuildstays blocked (ignoredBuiltDependencies) — it ships its real binary via an optional dep, so its own script is a no-op.preinstallguard — this is a public repo used by external interview candidates, so the launchers just runpnpm install. Simplest possible setup; no corepack + pnpm bootstrap, and no enforcement script shipping to consumers.Generated with Claude Code