From 56780d51a3c0326285dbec5333f42bfdce0fba9a Mon Sep 17 00:00:00 2001
From: Derek Cofausper <256792747+decofe@users.noreply.github.com>
Date: Mon, 13 Apr 2026 16:22:22 +0000
Subject: [PATCH] chore: add supply chain hardening

- Enable strictDepBuilds, blockExoticSubdeps, trustPolicy in pnpm-workspace.yaml
- Allowlist esbuild, protobufjs, core-js, es5-ext build scripts
- Add Dependabot config for npm + GitHub Actions with 7-day cooldown

Co-Authored-By: horsefacts <109845214+horsefacts@users.noreply.github.com>
---
 .github/dependabot.yml | 21 +++++++++++++++++++++
 pnpm-workspace.yaml    |  9 +++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..57312c0f
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+version: 2
+
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      production:
+        dependency-type: production
+      development:
+        dependency-type: development
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index ad21c9e4..45dadfb4 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -1,5 +1,14 @@
+strictDepBuilds: true
+blockExoticSubdeps: true
+trustPolicy: no-downgrade
 minimumReleaseAge: 1440
 
+onlyBuiltDependencies:
+  - core-js
+  - es5-ext
+  - esbuild
+  - protobufjs
+
 minimumReleaseAgeExclude:
   - accounts
   - mppx