strictDepBuilds=true、他サプライチェーン攻撃への対策の追加 #61#62
Conversation
Walkthroughプロジェクト全体でパッケージマネージャーをnpmからpnpmに移行し、pnmバージョンを10.10.0から11.1.2に統一した。Docker環境ではcorepack経由でのpnpm有効化に変更し、GitHub Actionsワークフローはpnmコマンドに置き換え、プロジェクト設定ファイル(package.json、pnpm-workspace.yaml、flake.nix)を合わせて更新した。 Changespnpm移行とバージョン統一
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related issues
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@flake.nix`:
- Line 27: flake.nix currently pulls the top-level pkgs.pnpm (which maps to
pnpm_9) causing a version mismatch with packageManager/Dockerfile and
package.json files that require pnpm@11.1.2; update flake.nix to explicitly use
pnpm_11 from pkgs (pkgs.pnpm_11) or add an overlay that pins pnpm to 11.1.2
(matching the project’s package.json/Dockerfile), ensuring the symbol you change
is the pnpm entry in the top-level package list (the pnpm / pnpm_11 reference)
so the dev environment and chrome-extension/gcp/sheet-scraper
packageManager/Dockerfile versions are consistent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 49fa2956-b17d-4753-9cfc-18fdb8a7e066
⛔ Files ignored due to path filters (1)
flake.lockis excluded by!**/*.lock
📒 Files selected for processing (10)
.github/workflows/README.md.github/workflows/build-chromeex/action.yaml.github/workflows/images/Dockerfile.node.github/workflows/images/Dockerfile.playwright.github/workflows/test-chromeex/action.yamlchrome-extension/package.jsonchrome-extension/pnpm-workspace.yamlflake.nixgcp/sheet-scraper/Dockerfilegcp/sheet-scraper/package.json
| packages = with pkgs; [ | ||
| nodejs_24 | ||
| nodePackages.pnpm | ||
| pnpm |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Nixのpnpmパッケージ情報を確認
# pnpmパッケージの存在確認
if command -v nix &> /dev/null; then
echo "=== Checking pnpm package in nixpkgs-unstable ==="
nix eval nixpkgs#pnpm.version --raw 2>/dev/null || echo "pkgs.pnpm not found"
echo ""
echo "=== Checking nodePackages.pnpm package ==="
nix eval nixpkgs#nodePackages.pnpm.version --raw 2>/dev/null || echo "nodePackages.pnpm not found"
else
echo "Nix is not available in this environment"
fiRepository: ano333333/ongeki-score-fetch
Length of output: 113
🌐 Web query:
nixpkgs unstable pnpm package availability
💡 Result:
In nixpkgs unstable (2026-05-24), pnpm is available in multiple versioned packages, notably pnpm_8, pnpm_9, and pnpm_10 (with additional variant labels like pnpm_10_29_2) via pkgs.development.tools.pnpm.default.nix [1][2]. The top-level pnpm attribute is also set to pnpm_9 in the nixpkgs tree (i.e., pnpm aliases pnpm_9) [3]. Concrete availability in nixpkgs (unstable) based on the current pnpm packaging definitions: - pnpm_8 exists, pinned to a specific pnpm 8.x version in the nixpkgs pnpm default.nix variant table [1]. - pnpm_9 exists, pinned to a specific pnpm 9.x version in the nixpkgs pnpm default.nix variant table [1]. - pnpm_10 exists, pinned to a specific pnpm 10.x version in the nixpkgs pnpm default.nix variant table [1]. - Additional pnpm_10_* variants can exist to handle known breaking changes (example comment/variant for 10.29.2) [1]. Related build tooling availability (how pnpm is intended to be used in nixpkgs builds): - nixpkgs provides fetchPnpmDeps and pnpmConfigHook infrastructure for building pnpm-based JS projects reproducibly [4][5]. Notes on package name changes / aliases: - Older nixpkgs guidance used nodePackages.pnpm; however, nixpkgs has been deprecating/removing “nodePackages.*” usage in favor of other patterns (e.g., overlays/overrides), and there are documented issues about pnpm being wrapped with an unintended nodejs version when using the aliasing approach [6][7]. How to check quickly in your local nixpkgs-unstable checkout: - Look under pkgs.development.tools.pnpm (it defines pnpm_8, pnpm_9, pnpm_10, etc.) [1]. - In that same tree, check that pnpm = pnpm_9 is exported at the top-level all-packages layer [3].
Citations:
- 1: https://github.com/NixOS/nixpkgs/blob/cfef0805/pkgs/development/tools/pnpm/default.nix
- 2: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/development/tools/pnpm/generic.nix
- 3: NixOS/nixpkgs@8fe4a3a
- 4: https://github.com/NixOS/nixpkgs/blob/cfef0805/pkgs/build-support/node/fetch-pnpm-deps/default.nix
- 5: https://deepwiki.com/NixOS/nixpkgs/4.4-pnpm-and-modern-node.js-build-patterns
- 6: nodejs_latest.pkgs.pnpm: wrapped with older nodejs NixOS/nixpkgs#389299
- 7: https://discourse.nixos.org/t/how-to-use-pnpm-with-recent-nodejs/21867
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# flake.nixの該当行(27)周辺を確認
if [ -f flake.nix ]; then
nl -ba flake.nix | sed -n '15,45p'
else
echo "flake.nix not found"
fiRepository: ano333333/ongeki-score-fetch
Length of output: 115
🌐 Web query:
nixpkgs unstable pnpm_11 package
💡 Result:
As of May 24, 2026, the pnpm_11 package is actively being integrated into nixpkgs [1][2]. While development and testing are ongoing—including recent work to ensure deterministic builds for the pnpm v11 store index [3] and fixes for binary execution [4]—it is not yet part of the standard stable release or fully merged into the main nixpkgs-unstable branch as a finalized, widely available attribute [5]. Users tracking the progress of pnpm_11 can follow the primary development efforts in the nixpkgs repository, specifically through pull requests and commits related to its initialization and store reproducibility [1][3][2]. Because pnpm v11 introduced significant changes, such as using a SQLite database for the store index, the integration requires careful handling of build reproducibility and pnpmConfigHook compatibility [1][3]. If you need to use pnpm 11 before it is officially available in your channel, you may need to track the relevant pull requests or use a local overlay to pull in the work-in-progress definitions [1][6]. Once merged, it is expected to follow the established naming convention in nixpkgs, where pinned versions are exposed as pnpm_X (e.g., pnpm_10, pnpm_11) [7][8].
Citations:
- 1: pnpm_11: init at 11.1.0 NixOS/nixpkgs#505103
- 2: Update Request: pnpm 10.33.2 → 11.0.0 NixOS/nixpkgs#514444
- 3: fetchPnpmDeps: fix reproducibility of pnpm v11 store index NixOS/nixpkgs#522703
- 4: NixOS/nixpkgs@342203f
- 5: Nix flake auto-update disabled until nixpkgs ships pnpm 11 Nano-Collective/nanocoder#511
- 6: https://discourse.nixos.org/t/mixing-stable-and-unstable-packages-on-flake-based-nixos-system/50351
- 7: https://github.com/NixOS/nixpkgs/blob/master/doc/languages-frameworks/javascript.section.md
- 8: NixOS/nixpkgs@8fe4a3a
🏁 Script executed:
#!/bin/bash
set -euo pipefail
if [ -f flake.nix ]; then
echo "== flake.nix: lines 20-35 =="
awk 'NR>=20 && NR<=35 {printf "%d:%s\n", NR, $0}' flake.nix
echo
echo "== flake.nix: all pnpm occurrences =="
rg -n "pnpm" flake.nix
else
echo "flake.nix not found"
fiRepository: ano333333/ongeki-score-fetch
Length of output: 777
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n "pnpm@|packageManager|pnpm_11|11\.1\.2" . || trueRepository: ano333333/ongeki-score-fetch
Length of output: 312
flake.nix の pnpm バージョンが pnpm@11.1.2(packageManager/Dockerfile指定)と一致するよう調整してください(pnpm のままだと不一致の可能性)
flake.nixはwith pkgs; [ ... pnpm ... ](pkgsのトップレベルpnpm属性)を使っています。- 一方で
chrome-extension/package.json/gcp/sheet-scraper/package.json/gcp/sheet-scraper/Dockerfileはすべてpnpm@11.1.2を指定しています。 nixpkgs-unstableではトップレベルpnpmは現状pnpm_9エイリアスで、pnpm_11は統合途上になっているため、現在のflake.nixのままだとバージョン不一致リスクがあります。pnpm_11を明示的に使う/オーバーレイでpnpm@11.1.2にピン止めするなど、開発環境のpnpmをプロジェクト指定に合わせてください。
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@flake.nix` at line 27, flake.nix currently pulls the top-level pkgs.pnpm
(which maps to pnpm_9) causing a version mismatch with packageManager/Dockerfile
and package.json files that require pnpm@11.1.2; update flake.nix to explicitly
use pnpm_11 from pkgs (pkgs.pnpm_11) or add an overlay that pins pnpm to 11.1.2
(matching the project’s package.json/Dockerfile), ensuring the symbol you change
is the pnpm entry in the top-level package list (the pnpm / pnpm_11 reference)
so the dev environment and chrome-extension/gcp/sheet-scraper
packageManager/Dockerfile versions are consistent.
There was a problem hiding this comment.
nix flake updateのタイミングのみで上がるので、そのタイミングでバージョンを更新するだけなので、現段階で調節しておけばとりあえずOKと判断。
There was a problem hiding this comment.
@ano333333、ご説明ありがとうございます。nix flake update のタイミングで flake.lock が更新されるため、その際に pnpm バージョンを合わせる運用であれば問題ない判断ですね。了解しました。
1 participant
Summary by CodeRabbit
リリースノート