mirror of
https://github.com/DeBrosOfficial/orama.git
synced 2026-06-16 21:54:14 +00:00
3676b000a6
Standardization batch — no application code changes. Pulls in the
DeBros DAO baseline rules (v0.1.0, sha 51ce3f8) for supply-chain
defense and toolchain pinning.
Files added:
- DEBROS.md + debros.json — adopted-rules manifest
- .debros/compliance/{go,javascript-typescript,zig}.md — per-language
compliance docs
- .github/workflows/security.yml — auto-detecting security CI
(npm audit + go vulncheck), runs on main + weekly cron
- renovate.json — 30-day dependency cooldown, no auto-merge,
vulnerability alerts bypass cooldown
- .nvmrc — pin Node 20.18.0
- vault/.zigversion — pin Zig 0.14.0
- sdk/.npmrc, website/.npmrc — supply-chain hardening
(ignore-scripts, strict-peer-dependencies, save-exact, etc.)
Files modified:
- core/go.mod, os/agent/go.mod, website/invest-api/go.mod —
add `toolchain go1.24.6` directive for reproducible builds
- VERSION + sdk/package.json — bump to 0.122.11
64 lines
2.9 KiB
Plaintext
64 lines
2.9 KiB
Plaintext
# DeBros canonical .npmrc — drop-in supply-chain defense baseline.
|
|
#
|
|
# Adopt this file at the root of every npm/pnpm/yarn project.
|
|
# See https://github.com/DeBrosDAO/rules/blob/main/compliance/javascript-typescript.md
|
|
# for the full rationale.
|
|
|
|
# -------------------------------------------------------------------
|
|
# CRITICAL: block install-time scripts.
|
|
#
|
|
# Postinstall / preinstall / install lifecycle scripts are the #1
|
|
# supply-chain attack vector for npm. A compromised package can
|
|
# silently exfiltrate secrets, modify host files, or install a
|
|
# backdoor — all before any of your code runs.
|
|
#
|
|
# Packages that *genuinely* need to run install scripts (esbuild,
|
|
# sharp, sqlite native bindings) must be explicitly listed in
|
|
# package.json under `pnpm.onlyBuiltDependencies` (pnpm) or you must
|
|
# selectively enable them another way.
|
|
# -------------------------------------------------------------------
|
|
ignore-scripts=true
|
|
|
|
# -------------------------------------------------------------------
|
|
# Audit baseline: fail on moderate+ severity findings.
|
|
# -------------------------------------------------------------------
|
|
audit-level=moderate
|
|
|
|
# -------------------------------------------------------------------
|
|
# Don't auto-install peer dependencies — explicit is better than
|
|
# magic, and surprise installs change the lockfile shape.
|
|
# -------------------------------------------------------------------
|
|
auto-install-peers=false
|
|
|
|
# -------------------------------------------------------------------
|
|
# Strict peer dependencies: error (don't silently skip) when a peer
|
|
# range is unsatisfied. Catches real bugs early.
|
|
# -------------------------------------------------------------------
|
|
strict-peer-dependencies=true
|
|
|
|
# -------------------------------------------------------------------
|
|
# Prefer offline cache when available — same install on the same
|
|
# lockfile = byte-identical node_modules. Reproducibility.
|
|
# -------------------------------------------------------------------
|
|
prefer-offline=true
|
|
|
|
# -------------------------------------------------------------------
|
|
# Don't allow lockfile mutation during install. CI sets this
|
|
# explicitly via --frozen-lockfile too; defense in depth.
|
|
# -------------------------------------------------------------------
|
|
# (pnpm reads this from the lockfile mode; enforce via CI command flag)
|
|
|
|
# -------------------------------------------------------------------
|
|
# Save exact versions — no ^1.2.3 ranges. With Renovate handling
|
|
# upgrades, ranges only invite confusion. Lockfile is the source of
|
|
# truth either way.
|
|
# -------------------------------------------------------------------
|
|
save-exact=true
|
|
|
|
# -------------------------------------------------------------------
|
|
# Disable npm's update-notifier — clutters CI output, no value
|
|
# in non-interactive shells.
|
|
# -------------------------------------------------------------------
|
|
fund=false
|
|
update-notifier=false
|