fix: security improvements

[filo87]

Summary

Short description of additions and changes from a security standpoint.

---

CI / GitHub Actions

Change	Security benefit
New PR checks workflow (.github/workflows/pr-checks.yml)	Runs on every PR: lint, format, typecheck, commitlint, and TruffleHog OSS secrets scan.
permissions: contents: read on PR checks	Least privilege: workflow only has read access to repo contents.
All actions pinned by full commit SHA (not tags)	Reduces supply-chain risk: tags can be moved or overwritten; commit IDs are immutable. Applied in pr-checks.yml, release.yml, docker-build.yml, deploy-prod.yaml.
TruffleHog OSS (pinned to commit)	Scans PRs for leaked secrets (API keys, tokens, etc.) before merge.

---

Dependencies

Change	Security benefit
pnpm overrides	Pin known-good versions for tar, minimatch, ajv, rollup across the tree.
tar (override + lockfile → 7.5.x)	Old tar 6.x had widely publicized vulnerabilities; override forces 7.5.x.
minimatch (override ^9.0.6)	Aligns on a current major to avoid known issues in older minors.
ajv (override 8.18.0, with eslint/@eslint/eslintrc on 6.x)	Keeps rest of tree on supported ajv 8; ESLint stack stays on compatible 6.x.
bn.js 5.2.2 → 5.2.3	Dependency bump (patch).
rollup 4.57.1 → 4.59.0 (override)	Updated build dependency.

---

Code

• src/services/CrosschainMessageService.ts — Formatting/whitespace only; no behavior or security impact.

---

Files changed (diff stat)

.github/workflows/deploy-prod.yaml   |  14 +-
.github/workflows/docker-build.yml  |  10 +-
.github/workflows/pr-checks.yml     |  79 +++  (new)
.github/workflows/release.yml       |   4 +-
package.json                        |  10 +-
pnpm-lock.yaml                      | 401 +++++-----
src/services/CrosschainMessageService.ts | 8 +-
 7 files changed, 282 insertions(+), 244 deletions(-)