From 5e7c996c1c7d22ce8d9856ee69950c85dedd0bbb Mon Sep 17 00:00:00 2001 From: Chris Zetter <253059100+zetter-rpf@users.noreply.github.com> Date: Wed, 13 May 2026 10:28:28 +0100 Subject: [PATCH 1/3] Setup dependabot Without this file, we are only receiving security updates [1] Add a cooldown similar to editor API to reduce the risk of supply chain attacks. It will also delay us updating to cutting edge new releases that might have issues. Note that this doesn't dependabot security updates. [1] - https://docs.github.com/en/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file --- .github/dependabot.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..1355610e9 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: +- package-ecosystem: "npm" + directory: "/" + cooldown: + default-days: 10 + schedule: + interval: "daily" \ No newline at end of file From 94d0a88d640b3a008bf91ed77ff16bc89830baa9 Mon Sep 17 00:00:00 2001 From: Chris Zetter <253059100+zetter-rpf@users.noreply.github.com> Date: Wed, 13 May 2026 10:58:34 +0100 Subject: [PATCH 2/3] Add a minimum age for NPM packages This reduces the risk of supply chain attacks by preventing us from installing very new packages[1]. It also reduces the risk us from relying on a package that is removed (since it's harder to remove a package after a 72 hours[1]) While this does a similar task to the dependabot cooldown, it will also prevent us from installing new packages locally. I've added our internal packages ot the pre-approved list as we often want to update these immediately after making changes. I'm unsure how this interacts with dependabot - if it will still make PRs for security issues and if those updates might fail. This is something I will monitor. I've chosen a slightly shorter cooldown compared to dependabot as I don't want this to be a barrier to us manually upgrading packages we intend to. [1] - https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate [2] - https://docs.npmjs.com/unpublishing-packages-from-the-registry --- .yarnrc.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.yarnrc.yml b/.yarnrc.yml index 3adb93697..7b135dac3 100644 --- a/.yarnrc.yml +++ b/.yarnrc.yml @@ -7,3 +7,9 @@ enableGlobalCache: false nodeLinker: node-modules yarnPath: .yarn/releases/yarn-4.12.0.cjs + +npmMinimalAgeGate: 7d + +npmPreapprovedPackages: + - "@raspberrypifoundation/design-system-react" + - "@raspberrypifoundation/design-system-core" \ No newline at end of file From dd4ebf08981ccd063b8876b124d7b15bb0e06405 Mon Sep 17 00:00:00 2001 From: Chris Zetter <253059100+zetter-rpf@users.noreply.github.com> Date: Wed, 13 May 2026 11:37:14 +0100 Subject: [PATCH 3/3] Make yarn and docker work more like other environments We should be using the same corepack binary and yarnrc as other environments. Perhaps adding 'nodeLinker: node-modules' was needed at one point, but it's now in the default yarn file. --- .dockerignore | 9 +++++++-- Dockerfile | 6 +----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.dockerignore b/.dockerignore index 61592c09b..7b98e3035 100644 --- a/.dockerignore +++ b/.dockerignore @@ -2,5 +2,10 @@ build/ dist/ .git/ node_modules/ -.yarn/ -.yarnrc.yml + +.yarn/* +!.yarn/patches +!.yarn/plugins +!.yarn/releases +!.yarn/sdks +!.yarn/versions \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index aeddafadf..7d946f18a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,11 +9,7 @@ WORKDIR /app COPY package.json yarn.lock ./ COPY . /app -RUN corepack enable \ - && yarn set version 4.12.0 \ - && echo "nodeLinker: node-modules\n\n$(cat /app/.yarnrc.yml)" > /app/.yarnrc.yml \ - && cat /app/.yarnrc.yml \ - && printf "Switched to Yarn version: "; yarn --version +RUN corepack enable RUN chsh -s $(which zsh) ${USER}