From e729c1f37cf036c0627f21d0d56c70d73fa74edb Mon Sep 17 00:00:00 2001
From: Yos Riady <yos@formo.so>
Date: Wed, 20 May 2026 14:34:54 +0700
Subject: [PATCH 1/2] Harden supply chain security

---
 .github/workflows/ci.yml | 19 +++++++++++++++++++
 package.json             |  2 +-
 pnpm-workspace.yaml      |  5 ++---
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e640684..f4b21f0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -59,3 +59,22 @@ jobs:
 
       - name: Run tests
         run: pnpm test
+
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          version: 11.1.2
+
+      - name: Setup Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: "22.14.0"
+
+      - name: Audit production dependencies
+        run: pnpm audit --prod --audit-level=high
diff --git a/package.json b/package.json
index 196efb4..f761722 100644
--- a/package.json
+++ b/package.json
@@ -26,7 +26,7 @@
     "lint": "tsc --noEmit"
   },
   "dependencies": {
-    "ethereum-cryptography": "^3.2.0"
+    "ethereum-cryptography": "3.2.0"
   },
   "devDependencies": {
     "@swc/core": "^1.3.102",
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 5cc2578..b385f79 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -8,9 +8,8 @@ packages:
   - '.'
 
 # Supply-chain cooldown: don't resolve dependency versions until they
-# are at least 2880 minutes (48h) old. pnpm 11's default is 1440 (24h);
-# this preserves the explicit 48h policy from PR #14.
-minimumReleaseAge: 2880
+# are at least 10080 minutes (7d) old. pnpm 11's default is 1440 (24h).
+minimumReleaseAge: 10080
 
 # Dependency build-script policy (pnpm 11 strictDepBuilds default).
 # Both packages ship prebuilt native bindings via platform-specific

From 73663dd7e2bb26ca2763b86b97590a4d10290630 Mon Sep 17 00:00:00 2001
From: Yos Riady <yos@formo.so>
Date: Wed, 20 May 2026 14:38:51 +0700
Subject: [PATCH 2/2] Sync lockfile specifier with pinned ethereum-cryptography
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The dependency pin in package.json (^3.2.0 → 3.2.0) left the
lockfile specifier out of sync, which broke `pnpm install
--frozen-lockfile` in CI. The resolved version is unchanged
(3.2.0); only the specifier field is updated. A full `pnpm
install` would have been blocked by the 7d minimumReleaseAge
cooldown against a recently-bumped transitive, so the lockfile
is edited surgically.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 pnpm-lock.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 8273a86..104a04b 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -14,7 +14,7 @@ importers:
   .:
     dependencies:
       ethereum-cryptography:
-        specifier: ^3.2.0
+        specifier: 3.2.0
         version: 3.2.0
     devDependencies:
       '@swc/core':