More supply chain attack mitigations (#531)

skykanin · web-flow · commit 08a76ac7d41b · 2025-12-01T10:01:08.000+01:00
* remove duplicate dependabot config

* update nixpkgs ref

* explicitly use '--ignore-scripts' argument during `pnpm install`
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -1,12 +1,17 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
 version: 2
 updates:
-- package-ecosystem: npm
-  directory: "/"
-  schedule:
-    interval: weekly
-    day: sunday
-    time: "00:00"
-  cooldown:
-    default-days: 7
-  open-pull-requests-limit: 20
-  versioning-strategy: increase
+  - package-ecosystem: npm
+    directory: '/'
+    schedule:
+      interval: weekly
+      day: sunday
+      time: '00:00'
+    cooldown:
+      default-days: 7
+    open-pull-requests-limit: 20
+    versioning-strategy: increase
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
diff --git a/.github/workflows/build-and-lint-on-pr.yaml b/.github/workflows/build-and-lint-on-pr.yaml
@@ -12,25 +12,27 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v4.2.0
         with:
-          version: 9
+          version: 10
           run_install: false
 
       - name: Set up node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 20
           cache: 'pnpm'
 
       - name: Install dependencies
-        run: pnpm install
-        
+        run: pnpm install --ignore-scripts
+
       - name: Build application
-        run: pnpm run build
+        run: |
+          pnpm prepare
+          pnpm run build
 
       - name: Check for ESLint warnings and errors
         run: pnpm run lint
-      
+
       - name: Run tests
         run: pnpm run tests
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,8 @@ RUN apk add pnpm
 
 COPY . .
 
-RUN pnpm install
+RUN pnpm install --ignore-scripts
+RUN pnpm prepare
 RUN pnpm run build
 # Delete node_modules that contain dev deps and only install runtime deps
 # in the version that is copied to the final output
diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ help:
 
 .PHONY: build
 build: ## Build the app
-	pnpm install
+	pnpm install --ignore-scripts
 
 .PHONY: run-dev
 run-dev: ## Run the app in dev mode
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -9,11 +9,7 @@
   outputs = inputs @ {flake-parts, ...}:
     flake-parts.lib.mkFlake {inherit inputs;} {
       systems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin" "x86_64-darwin"];
-      perSystem = {
-        pkgs,
-        self',
-        ...
-      }: {
+      perSystem = {pkgs, ...}: {
         devShells.default = pkgs.mkShell {
           shellHook = ''
             export DAPLA_TEAM_API_URL=https://dapla-team-api.intern.test.ssb.no
