getformo · yosriady · May 20, 2026 · May 20, 2026 · May 20, 2026 · gemini-code-assist
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -59,3 +59,22 @@ jobs:
 
       - name: Run tests
         run: pnpm test
+
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          version: 11.1.2
+
+      - name: Setup Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: "22.14.0"
+
+      - name: Audit production dependencies
+        run: pnpm audit --prod --audit-level=high
diff --git a/package.json b/package.json
@@ -26,7 +26,7 @@
     "lint": "tsc --noEmit"
   },
   "dependencies": {
-    "ethereum-cryptography": "^3.2.0"
+    "ethereum-cryptography": "3.2.0"
-    "ethereum-cryptography": "3.2.0"
+    "ethereum-cryptography": "^3.2.0"
-    "ethereum-cryptography": "3.2.0"
+    "ethereum-cryptography": "^3.2.0"
   },
   "devDependencies": {
     "@swc/core": "^1.3.102",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -8,9 +8,8 @@ packages:
   - '.'
 
 # Supply-chain cooldown: don't resolve dependency versions until they
-# are at least 2880 minutes (48h) old. pnpm 11's default is 1440 (24h);
-# this preserves the explicit 48h policy from PR #14.
-minimumReleaseAge: 2880
+# are at least 10080 minutes (7d) old. pnpm 11's default is 1440 (24h).
+minimumReleaseAge: 10080
 
 # Dependency build-script policy (pnpm 11 strictDepBuilds default).
 # Both packages ship prebuilt native bindings via platform-specific