chore: pin docker images and npm deps with CI enforcement

.devcontainer/docker-compose.yaml

@@ -27,7 +27,7 @@ services:
         condition: service_healthy
 
   db:
-    image: postgres:17-alpine
+    image: postgres:17.9-alpine
     restart: unless-stopped
     environment:
       POSTGRES_USER: skeleton

.github/workflows/ci.yaml

@@ -38,6 +38,7 @@ jobs:
               echo "All zsh plugins verified"
             '
             pnpm format:check
+            pnpm lint:pinning
             pnpm lint
             pnpm db:push
             pnpm test

AGENTS.md

@@ -4,3 +4,13 @@
 - Shared types and schemas live in `packages/shared` — don't duplicate them.
 - Database access goes through `packages/db` — never import Prisma directly in apps.
 - Auth config is in `packages/auth` — apps consume it, not define it.
+
+## Pinning policy
+
+To prevent silent drift from upstream rebuilds and unreviewed minor bumps, all external references in this repo are pinned and enforced by `pnpm lint:pinning` (CI fails on violations):
+
+- **Docker images** (`Dockerfile`, `docker-compose*.yaml`): tag must be `major.minor[.patch]` — e.g. `postgres:17.9-alpine`, `node:26.0-slim`. A SHA digest (`@sha256:…`) is also accepted. Bare `postgres:17` or `latest` is rejected.
+- **npm dependencies** (every workspace `package.json`, all four dep maps): range must be exact (`1.2.3`) or `~major.minor.patch` (`~1.2.3`). `^`, `*`, `latest`, bare-major (`~25`), and unbounded ranges are rejected. `workspace:*`, `link:`, `file:`, `npm:` aliases (whose version must also satisfy the rule), and git/http URLs are allowed.
+- **GitHub Actions**: pinned to a full SHA, enforced at the repo level via the "Require actions pinned to SHA" setting (no extra lint needed).
+
+Dependabot still produces minor/patch PRs against these pinned ranges — bumps become reviewed events, not silent drift. When raising a pin, update the manifest and run `pnpm install` so the lockfile follows.

apps/api/package.json

@@ -12,23 +12,23 @@
     "test:integration": "vitest run --project api:integration"
   },
   "dependencies": {
-    "@hono/node-server": "^2.0.2",
-    "@hono/swagger-ui": "^0.6.1",
-    "@hono/zod-openapi": "^1.3.0",
-    "@prisma/client": "^7.8.0",
+    "@hono/node-server": "~2.0.2",
+    "@hono/swagger-ui": "~0.6.1",
+    "@hono/zod-openapi": "~1.3.0",
+    "@prisma/client": "~7.8.0",
     "@skeleton/auth": "workspace:*",
     "@skeleton/db": "workspace:*",
     "@skeleton/shared": "workspace:*",
-    "hono": "^4.12.18",
-    "zod": "^4.4.3"
+    "hono": "~4.12.18",
+    "zod": "~4.4.3"
   },
   "devDependencies": {
-    "@types/node": "^25",
-    "@vitest/ui": "^4.1.5",
-    "better-auth": "^1.6.9",
-    "tsup": "^8.4.0",
-    "tsx": "^4.19.0",
-    "typescript": "^6",
-    "vitest": "^4.1.5"
+    "@types/node": "~25.6.2",
+    "@vitest/ui": "~4.1.5",
+    "better-auth": "~1.6.9",
+    "tsup": "~8.5.1",
+    "tsx": "~4.21.0",
+    "typescript": "~6.0.3",
+    "vitest": "~4.1.5"
   }
 }

apps/web/package.json

@@ -12,49 +12,49 @@
     "test:e2e:ui": "playwright test --ui"
   },
   "dependencies": {
-    "@base-ui/react": "^1.4.1",
-    "@dnd-kit/core": "^6.3.1",
-    "@dnd-kit/modifiers": "^9.0.0",
-    "@dnd-kit/sortable": "^10.0.0",
-    "@dnd-kit/utilities": "^3.2.2",
+    "@base-ui/react": "~1.4.1",
+    "@dnd-kit/core": "~6.3.1",
+    "@dnd-kit/modifiers": "~9.0.0",
+    "@dnd-kit/sortable": "~10.0.0",
+    "@dnd-kit/utilities": "~3.2.2",
     "@skeleton/api-client": "workspace:*",
     "@skeleton/auth": "workspace:*",
     "@skeleton/shared": "workspace:*",
-    "@tabler/icons-react": "^3.44.0",
-    "@tanstack/react-table": "^8.21.3",
-    "class-variance-authority": "^0.7.1",
-    "clsx": "^2.1.1",
-    "lucide-react": "^1.14.0",
+    "@tabler/icons-react": "~3.44.0",
+    "@tanstack/react-table": "~8.21.3",
+    "class-variance-authority": "~0.7.1",
+    "clsx": "~2.1.1",
+    "lucide-react": "~1.14.0",
     "next": "16.2.6",
-    "next-themes": "^0.4.6",
+    "next-themes": "~0.4.6",
     "react": "19.2.6",
     "react-dom": "19.2.6",
-    "recharts": "^3.8.0",
-    "server-only": "^0.0.1",
-    "shadcn": "^4.7.0",
-    "sonner": "^2.0.7",
-    "swr": "^2.4.1",
-    "tailwind-merge": "^3.5.0",
-    "tw-animate-css": "^1.4.0",
-    "vaul": "^1.1.2",
-    "zod": "^4.4.3"
+    "recharts": "~3.8.1",
+    "server-only": "~0.0.1",
+    "shadcn": "~4.7.0",
+    "sonner": "~2.0.7",
+    "swr": "~2.4.1",
+    "tailwind-merge": "~3.5.0",
+    "tw-animate-css": "~1.4.0",
+    "vaul": "~1.1.2",
+    "zod": "~4.4.3"
   },
   "devDependencies": {
-    "@eslint-react/eslint-plugin": "^5.7.5",
+    "@eslint-react/eslint-plugin": "~5.7.5",
     "@next/eslint-plugin-next": "16.2.6",
-    "@playwright/test": "^1.59.1",
-    "@tailwindcss/postcss": "^4.3.0",
-    "@types/node": "^25",
-    "@types/react": "^19",
-    "@types/react-dom": "^19",
-    "eslint": "^10",
-    "eslint-config-prettier": "^10.1.8",
-    "eslint-import-resolver-typescript": "^4.4.4",
-    "eslint-plugin-better-tailwindcss": "^4.5.0",
-    "eslint-plugin-import-x": "^4.16.2",
-    "tailwindcss": "^4.3.0",
-    "typescript": "^6",
-    "typescript-eslint": "^8.59.2",
-    "vitest": "^4.1.5"
+    "@playwright/test": "~1.59.1",
+    "@tailwindcss/postcss": "~4.3.0",
+    "@types/node": "~25.6.2",
+    "@types/react": "~19.2.14",
+    "@types/react-dom": "~19.2.3",
+    "eslint": "~10.3.0",
+    "eslint-config-prettier": "~10.1.8",
+    "eslint-import-resolver-typescript": "~4.4.4",
+    "eslint-plugin-better-tailwindcss": "~4.5.0",
+    "eslint-plugin-import-x": "~4.16.2",
+    "tailwindcss": "~4.3.0",
+    "typescript": "~6.0.3",
+    "typescript-eslint": "~8.59.2",
+    "vitest": "~4.1.5"
   }
 }

package.json

@@ -6,6 +6,7 @@
     "dev": "bash .devcontainer/check-env.sh && turbo dev test:ui",
     "build": "turbo build",
     "lint": "turbo lint",
+    "lint:pinning": "node scripts/check-pinning.mjs",
     "format": "prettier --write .",
     "format:check": "prettier --check .",
     "codegen:openapi": "turbo codegen:openapi",
@@ -19,14 +20,14 @@
     "reset": "pnpm clean && pnpm install && pnpm build && pnpm dev"
   },
   "devDependencies": {
-    "@types/node": "^25.6.2",
-    "@vitest/coverage-v8": "^4.1.5",
-    "@vitest/ui": "^4.1.5",
-    "prettier": "^3.8.3",
-    "prettier-plugin-tailwindcss": "^0.8.0",
-    "turbo": "^2.9.12",
-    "typescript": "^6.0.3",
-    "vitest": "^4.1.5"
+    "@types/node": "~25.6.2",
+    "@vitest/coverage-v8": "~4.1.5",
+    "@vitest/ui": "~4.1.5",
+    "prettier": "~3.8.3",
+    "prettier-plugin-tailwindcss": "~0.8.0",
+    "turbo": "~2.9.12",
+    "typescript": "~6.0.3",
+    "vitest": "~4.1.5"
   },
   "packageManager": "pnpm@10.33.0",
   "pnpm": {

packages/api-client/package.json

@@ -12,10 +12,10 @@
     "codegen": "openapi-typescript ../api-spec/openapi.yaml -o src/schema.d.ts"
   },
   "dependencies": {
-    "openapi-fetch": "^0.17.0"
+    "openapi-fetch": "~0.17.0"
   },
   "devDependencies": {
-    "openapi-typescript": "^7.8.0",
-    "typescript": "^6"
+    "openapi-typescript": "~7.13.0",
+    "typescript": "~6.0.3"
   }
 }

packages/api-spec/package.json

@@ -7,8 +7,8 @@
     "codegen:openapi": "tsx scripts/generate-spec.ts"
   },
   "devDependencies": {
-    "tsx": "^4.19.0",
-    "typescript": "^6",
-    "yaml": "^2.8.4"
+    "tsx": "~4.21.0",
+    "typescript": "~6.0.3",
+    "yaml": "~2.8.4"
   }
 }

packages/auth/package.json

@@ -15,12 +15,12 @@
   },
   "dependencies": {
     "@skeleton/db": "workspace:*",
-    "@prisma/client": "^7.8.0",
-    "better-auth": "^1.6.9",
-    "zod": "^4.4.3"
+    "@prisma/client": "~7.8.0",
+    "better-auth": "~1.6.9",
+    "zod": "~4.4.3"
   },
   "devDependencies": {
-    "@types/node": "^25",
-    "typescript": "^6"
+    "@types/node": "~25.6.2",
+    "typescript": "~6.0.3"
   }
 }

packages/db/package.json

@@ -15,11 +15,11 @@
     "studio": "prisma studio"
   },
   "dependencies": {
-    "@prisma/adapter-pg": "^7.8.0",
-    "@prisma/client": "^7.8.0"
+    "@prisma/adapter-pg": "~7.8.0",
+    "@prisma/client": "~7.8.0"
   },
   "devDependencies": {
-    "prisma": "^7.8.0",
-    "typescript": "^6"
+    "prisma": "~7.8.0",
+    "typescript": "~6.0.3"
   }
 }

packages/shared/package.json

@@ -14,10 +14,10 @@
     "test": "vitest run --project shared"
   },
   "dependencies": {
-    "zod": "^4.4.3"
+    "zod": "~4.4.3"
   },
   "devDependencies": {
-    "typescript": "^6",
-    "vitest": "^4.1.5"
+    "typescript": "~6.0.3",
+    "vitest": "~4.1.5"
   }
 }