Skip to content

use frozen lock file#824

Open
aaspinwall wants to merge 1 commit into
mainfrom
security/use-frozen-lock-file
Open

use frozen lock file#824
aaspinwall wants to merge 1 commit into
mainfrom
security/use-frozen-lock-file

Conversation

@aaspinwall

Copy link
Copy Markdown
Collaborator

What changed?

This PR removes --no-frozen-lockfile from installs to make sure we use the audited packages at the top of the repo

Why?

This is a good security practice to avoid malicious packages being installed

Limitations and Notes

pnpm doesn't have a ci command. The npm equivalent in pnpm is pnpm install --frozen-lockfile, which fails if the lockfile is out of sync — that's the safe behavior you want in a container/CI context.

Applicable Issues

Closes #812

Screenshots

@aaspinwall aaspinwall requested review from malini and radishmouse May 25, 2026 13:36
@radishmouse

Copy link
Copy Markdown
Collaborator

Do we want to explicitly use --frozen-lockfile?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Pin pnpm-lock.yaml files and migrate to pnpm install --frozen-lockfile

2 participants