[FE-3214] chore: migrate from npm to pnpm with supply chain hardening#579
Open
Kabidoye-17 wants to merge 2 commits into
Open
[FE-3214] chore: migrate from npm to pnpm with supply chain hardening#579Kabidoye-17 wants to merge 2 commits into
Kabidoye-17 wants to merge 2 commits into
Conversation
Team: Integration Capabilities
pnpm's global install has no fallback when a registry manifest lacks dist-tags, and Intercom's Socket Firewall proxy serves the fern-api manifest without them, so `pnpm add -g fern-api` (unpinned) fails with ERR_PNPM_NO_MATCHING_VERSION. Pinning bypasses `latest` resolution. Upstream: pnpm/pnpm#5564, pnpm/pnpm#9944 (both open).
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.





Why?
This repo was surfaced in a follow-up audit as part of the org-wide effort to bring active npm repos onto a supply-chain-hardened footing (per-package script gating, install cooldown, pnpm's stricter dependency graph). Migrating to pnpm 10 aligns Intercom-OpenAPI with the target config already applied across the sibling repos in FE-3214.
How?
pnpm importwas used to convertpackage-lock.jsontopnpm-lock.yamlverbatim, preserving every resolved version so no transitive dependency drift shipped alongside the tooling swap. Supply-chain settings (minimumReleaseAge: 10080,trustPolicy: no-downgrade) live inpnpm-workspace.yaml; a preinstall guard enforces pnpm locally and no-ops in CI; thees5-extcosmetic postinstall is silenced viapnpm.ignoredBuiltDependencies. Disabled workflows under.github/workflows-disabled/were updated so they continue to work if re-enabled — the newpnpm/action-setuprefs are SHA-pinned. Pre-existing GHA hardening gaps (unpinnedactions/checkout, missing top-levelpermissions:blocks) were left out of scope; whoever re-enables any workflow should run the security-review skill end-to-end first.Follow-up commit —
fern-apiis pinned to5.65.3in docs and workflows.pnpm add -g fern-api(unpinned) fails through Intercom's registry proxy because the proxy serves thefern-apimanifest without adist-tagsblock, and pnpm has no fallback resolver for a missinglatesttag. Upstream issues, both open:When those are fixed (or the proxy is fixed to include dist-tags), the pin can be dropped.
Generated with Claude Code