mirror of
https://github.com/transloadit/uppy.git
synced 2026-07-17 16:50:22 +00:00
## Why Recent npm supply-chain compromises showed that dependency installs and shared CI caches can execute or preserve newly published malicious packages before advisories catch up. This PR reduces that exposure for this repo. ## What changed - Made eligible Yarn installs immutable and removed shared dependency caching from the manual CDN upload path; existing minimal age gate remains unchanged. ## Validation - Ran `git diff --check` across the prepared worktree. - Audited this PR set for `pull_request_target` and release/deploy/CDN cache reuse; patched actionable hits. - Did not run the full test suite; this is a workflow/config-only change. |
||
|---|---|---|
| .. | ||
| bundlers.yml | ||
| ci.yml | ||
| companion-deploy.yml | ||
| lockfile_check.yml | ||
| manual-cdn.yml | ||
| release.yml | ||