Backend service for the OIC (Órgano Interno de Control) platform, built with NestJS + GraphQL + MongoDB.
- Node.js ≥ 16
- pnpm ≥ 9 (see Security for why we use pnpm)
- MongoDB running locally or accessible via connection string
# Install dependencies (scripts are disabled by default — see .npmrc)
pnpm install --ignore-scripts
# Rebuild native dependencies explicitly (bcrypt)
pnpm rebuild bcryptWhy
--ignore-scripts? All post-install scripts are disabled globally via.npmrcto prevent supply chain attacks. Native packages likebcryptmust be rebuilt manually after install.
Copy the example env and fill in your values:
cp .env.example .env| Variable | Description | Example |
|---|---|---|
APP_PORT |
Server port | 3000 |
MONGO_CNN |
MongoDB connection string | mongodb://root:123456@localhost:27017 |
PASSPHRASE_SSL |
SSL certificate passphrase | (your passphrase) |
# Development (watch mode)
pnpm run start:dev
# Debug mode
pnpm run start:debug
# Production
pnpm run build
pnpm run start:prod# Unit tests
pnpm run test
# E2E tests
pnpm run test:e2e
# Coverage
pnpm run test:covAlways install with exact versions and scripts disabled:
# ✅ Correct — exact version, no scripts
pnpm add <package>@<exact-version> --ignore-scripts
# ❌ Wrong — never use @latest or loose ranges
pnpm add <package>@latestAfter adding a package that requires native compilation, add it to onlyBuildDependencies in pnpm-workspace.yaml and run pnpm rebuild <package>.
This project applies a Defense in Depth strategy for NPM supply chain security. All configurations are documented in seguridad.md.
| Layer | File | What It Does |
|---|---|---|
| Script blocking | .npmrc |
ignore-scripts=true — prevents automatic execution of postinstall and similar hooks |
| Audit on install | .npmrc |
audit=true — runs npm audit automatically on every install |
| Cooldown window | pnpm-workspace.yaml |
minimumReleaseAge: 4320 — rejects packages published less than 3 days ago |
| Build allow-list | pnpm-workspace.yaml |
strictDepBuilds: true + onlyBuildDependencies — only bcrypt can run native builds |
| Publish guard | package.json |
files: ["dist/", "README.md"] — limits what gets published (defense in depth even though private: true) |
| Secret protection | .gitignore |
.env, .npmrc.local, .pnpm-store/ excluded from version control |
| Lockfile integrity | pnpm-lock.yaml |
pnpm's content-addressable store mitigates lockfile URL injection attacks |
# ✅ Install dependencies safely
pnpm install --ignore-scripts
# ✅ Rebuild native packages after install
pnpm rebuild bcrypt
# ✅ Add a new dependency (always exact version)
pnpm add <pkg>@1.2.3 --ignore-scripts
# ✅ Verify lockfile integrity
pnpm install --frozen-lockfile --ignore-scripts
# ❌ NEVER do this
pnpm add <pkg>@latest
npm install # use pnpm, not npm- Add it:
pnpm add <package>@<version> --ignore-scripts - Add the package name to
onlyBuildDependenciesinpnpm-workspace.yaml - Rebuild:
pnpm rebuild <package> - Verify it works:
pnpm run build
Private — UNLICENSED