Skip to content

fix(deps): pin critical native dependencies to exact versions#975

Open
xiaolai wants to merge 1 commit intostablyai:mainfrom
xiaolai:fix/pin-critical-native-deps
Open

fix(deps): pin critical native dependencies to exact versions#975
xiaolai wants to merge 1 commit intostablyai:mainfrom
xiaolai:fix/pin-critical-native-deps

Conversation

@xiaolai
Copy link
Copy Markdown

@xiaolai xiaolai commented Apr 23, 2026

Automated audit: This PR was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the diff on its merits.

Security Fix (Low severity)

node-pty, @parcel/watcher, and electron are native modules that are compiled for a specific Electron ABI at install time (they appear in pnpm.onlyBuiltDependencies). All three currently use ^ semver constraints, which allows pnpm install to silently pull in any compatible minor or patch release.

Impact: An unexpected minor or patch bump for a native dependency can:

  • Ship a different compiled binary (different ABI expectations, potential crash)
  • Introduce a vulnerable version window between releases and lock-file refreshes
  • Expand the supply chain attack surface for packages that execute compiled native code

node-pty in particular already has a patch file (patches/node-pty@1.1.0.patch) that targets exactly 1.1.0 — a ^ constraint could pull in 1.2.0 and silently skip that patch.

Fix

Pin node-pty, @parcel/watcher, and electron to their current exact versions. Other dependencies are left as-is; this targets only the native packages where ABI stability and patch integrity matter most.

Note: after merging, regenerate pnpm-lock.yaml with pnpm install to reflect the updated constraints.

@claude @claude
fix(deps): pin critical native dependencies to exact versions
90849c7 
node-pty, @parcel/watcher, and electron are native modules that are
rebuilt for a specific Electron ABI at install time (listed under
pnpm.onlyBuiltDependencies). Using ^ constraints allows pnpm to
silently pull in minor and patch upgrades that may ship a different
native binary or introduce a vulnerable version before a lock-file
refresh catches it. Pinning to exact versions makes the installed
tree fully reproducible and reduces the supply-chain attack surface
for the packages most likely to execute compiled code.

Co-Authored-By: Claude Code <noreply@anthropic.com>
This was referenced Apr 23, 2026
Open
Open
@nwparker nwparker added the size/xs Extra small PR (≤25 added lines, 1 file) label Apr 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/xs Extra small PR (≤25 added lines, 1 file)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xiaolai @nwparker