stakekit · ajag408 · May 14, 2026 · May 14, 2026 · May 14, 2026 · May 14, 2026
@@ -1,2 +1,7 @@
 # Workflow/CI files specifically
-.github/ @ajag408 @Philippoes @petar-omni @jdomingos @raiseerco
+.github/ @ajag408 @Philippoes @petar-omni @jdomingos @raiseerco
+
+# Supply chain critical files -- lockfile, install config, package manifest
+.npmrc @ajag408 @Philippoes @petar-omni @jdomingos @raiseerco
+package.json @ajag408 @Philippoes @petar-omni @jdomingos @raiseerco
+pnpm-lock.yaml @ajag408 @Philippoes @petar-omni @jdomingos @raiseerco
@@ -18,34 +18,37 @@ jobs:
         node-version: [20.17.0, 22.x]
 
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d  # v2.16.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
         with:
           node-version: ${{ matrix.node-version }}
 
       - name: Install pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
-        with:
-          version: 10.12.2
-
-      - name: Get pnpm store directory
         shell: bash
         run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+          npm install -g corepack@latest
+          corepack enable
+          corepack prepare pnpm@10.12.2 --activate
 
-      - name: Setup pnpm cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
+      - name: Set up Socket Firewall
+        uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143  # v1
         with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+          mode: firewall
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: sfw pnpm install --frozen-lockfile
 
       - name: Run linter
         run: pnpm run lint
@@ -60,7 +63,7 @@ jobs:
         if: matrix.node-version == '20.17.0'
         uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de 
         with:
-          file: ./coverage/lcov.info
+          files: ./coverage/lcov.info
           flags: unittests
           name: codecov-umbrella
           fail_ci_if_error: false
@@ -70,25 +73,61 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d  # v2.16.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
         with:
           node-version: 20.17.0
 
       - name: Install pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
+        shell: bash
+        run: |
+          npm install -g corepack@latest
+          corepack enable
+          corepack prepare pnpm@10.12.2 --activate
+
+      - name: Set up Socket Firewall
+        uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143  # v1
         with:
-          version: 10.12.2
+          mode: firewall
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: sfw pnpm install --frozen-lockfile
 
       - name: Run pnpm audit
         run: pnpm audit --audit-level=critical
+        continue-on-error: true
 
       - name: Check for dependency updates
         run: pnpm outdated
         continue-on-error: true
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d  # v2.16.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9  # v4
@@ -20,10 +20,16 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d  # v2.16.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Verify tag is on main
         shell: bash
@@ -40,12 +46,21 @@ jobs:
           node-version: "22"
 
       - name: Install pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
+        shell: bash
+        run: |
+          npm install -g corepack@latest
+          corepack enable
+          corepack prepare pnpm@10.12.2 --activate
+
+      - name: Set up Socket Firewall
+        uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143  # v1
         with:
-          version: 10.12.2
+          mode: firewall
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: sfw pnpm install --frozen-lockfile
 
       - name: Security audit
         run: pnpm audit --audit-level=critical
@@ -63,10 +78,16 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d  # v2.16.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Verify tag is on main
         shell: bash
@@ -84,16 +105,25 @@ jobs:
           registry-url: "https://registry.npmjs.org"
 
       - name: Install pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
-        with:
-          version: 10.12.2
+        shell: bash
+        run: |
+          npm install -g corepack@latest
+          corepack enable
+          corepack prepare pnpm@10.12.2 --activate
 
         # npm 11.5.1 or later is required for trusted publishing
       - name: Update npm
         run: npm install -g npm@latest
 
+      - name: Set up Socket Firewall
+        uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143  # v1
+        with:
+          mode: firewall
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
+
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: sfw pnpm install --frozen-lockfile
 
       - name: Run tests
         run: pnpm test
@@ -103,6 +133,8 @@ jobs:
 
       - name: Publish to NPM
         run: pnpm publish --access public --no-git-checks
+        env:
+          NPM_CONFIG_PROVENANCE: "true"
 
   # ==========================================
   # Job 3: Build binaries for all platforms
@@ -134,10 +166,16 @@ jobs:
             arch: x64
 
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d  # v2.16.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Verify tag is on main
         shell: bash
@@ -162,25 +200,21 @@ jobs:
           architecture: ${{ matrix.node_arch }}
 
       - name: Install pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
-        with:
-          version: 10.12.2
-
-      - name: Get pnpm store directory
         shell: bash
         run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+          npm install -g corepack@latest
+          corepack enable
+          corepack prepare pnpm@10.12.2 --activate
 
-      - name: Setup pnpm cache
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
+      - name: Set up Socket Firewall
+        uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143  # v1
         with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+          mode: firewall
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: sfw pnpm install --frozen-lockfile
 
       - name: Build TypeScript
         run: pnpm build
@@ -237,6 +271,11 @@ jobs:
       contents: write
 
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d  # v2.16.1
+        with:
+          egress-policy: audit
+
       - name: Download all artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:

diff --git a/.npmrc b/.npmrc
@@ -1,2 +1,2 @@
-enable-pre-post-scripts=true
-strict-peer-dependencies=false
+strict-peer-dependencies=false
+minimum-release-age=4320
diff --git a/package.json b/package.json
@@ -71,5 +71,10 @@
     "prettier": "^3.2.5",
     "ts-jest": "^29.4.6",
     "typescript": "^5.0.0"
+  },
+  "pnpm": {
+    "onlyBuiltDependencies": [
+      "esbuild"
+    ]
   }
 }