Summary
Four devDependencies use "latest" instead of pinned version ranges, creating supply-chain risk.
Details
File: package.json
"bumpp": "latest",
"oxlint": "latest",
"typescript": "latest",
"vitest": "latest"
bumpp is particularly sensitive as it's executed during pnpm release (commits, tags, and triggers npm publish). A malicious release could tamper with the release pipeline. vitest runs arbitrary test code.
All other dependencies in the project use pinned versions or ^ ranges — these four latest entries are inconsistent.
Fix
Replace each "latest" with a concrete semver range (e.g., "^3.0.0" for vitest) or exact pinned versions, and ensure CI uses pnpm install --frozen-lockfile.
Summary
Four devDependencies use
"latest"instead of pinned version ranges, creating supply-chain risk.Details
File:
package.jsonbumppis particularly sensitive as it's executed duringpnpm release(commits, tags, and triggers npm publish). A malicious release could tamper with the release pipeline.vitestruns arbitrary test code.All other dependencies in the project use pinned versions or
^ranges — these fourlatestentries are inconsistent.Fix
Replace each
"latest"with a concrete semver range (e.g.,"^3.0.0"for vitest) or exact pinned versions, and ensure CI usespnpm install --frozen-lockfile.