feat(ci): improve npm supply chain security - improve Dependabot config by slorber · Pull Request #11874 · facebook/docusaurus

slorber · 2026-04-02T09:44:39Z

Motivation

Improve our CI security and dependency upgrade workflows

Following various recommendations from different sources to reduce the risk of npm supply chain attacks targeting Docusaurus and its transitive dependencies

Sources:

Main changes:

Use yarn install --frozen-lockfile in CI
Remove usage of npx in CI
Use Dependabot exclude-path option (new) to exclude examples/**
Restore Dependabot version upgrades with a PR limit + add a cooldown to delay updates

Also included: a workflow to detect compromised packages periodically and on each PR:

Install our monorepo with sfw (Socket Firewall Free) to block known malware (with existing lockfile)
Generate a new Docusaurus site from our standard template
Install the new site with sfw and without a lockfile to find potentially compromised dependencies
Use pnpm features to detect unexpected pre/postinstall scripts and Trusted Publishing downgrades

Planned later, in other PRs:

Upgrade/change package manager (still using Yarn v1 😅), get access to better security options (pnpm v10+ has the best options afaik)
Figure out a way to reduce risk for all newly initialized sites created from our CLI. This might mean generating proprietary package manager config options at init time? 🤔

Things to explore further:

check usage of ${{ secrets.GITHUB_TOKEN }} and contents: write in other workflows
https://github.com/LavaMoat/LavaMoat/tree/main/packages/allow-scripts
https://www.npmjs.com/package/@lavamoat/preinstall-always-fail

Test Plan

CI

Test links

https://deploy-preview-11874--docusaurus-2.netlify.app/

socket-security · 2026-04-02T09:45:49Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality
@docusaurus/module-type-aliases@3.9.2
@docusaurus/preset-classic@3.9.2
@docusaurus/types@3.9.2
@docusaurus/core@3.9.2
react@16.14.0 ⏵ 19.2.0	⁺¹	⁺⁷
@mdx-js/react@3.1.0 ⏵ 3.1.1
prism-react-renderer@2.4.1
react-dom@16.14.0 ⏵ 19.2.0	⁺⁷	⁺³

View full report

netlify · 2026-04-02T09:47:31Z

✅ [V2]

Name	Link
🔨 Latest commit	`d65de74`
🔍 Latest deploy log	https://app.netlify.com/projects/docusaurus-2/deploys/69ce8f0d3d14b90008b08529
😎 Deploy Preview	https://deploy-preview-11874--docusaurus-2.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

github-actions · 2026-04-02T09:48:37Z

Size Change: 0 B

Total Size: 11.9 MB

ℹ️ View Unchanged

Filename	Size	Change
`website/.docusaurus/codeTranslations.json`	2 B	0 B
`website/.docusaurus/docusaurus.config.mjs`	29 kB	0 B
`website/.docusaurus/globalData.json`	38.7 kB	0 B
`website/.docusaurus/i18n.json`	1.36 kB	0 B
`website/.docusaurus/registry.js`	178 kB	0 B
`website/.docusaurus/routes.js`	88.6 kB	0 B
`website/.docusaurus/routesChunkNames.json`	92.4 kB	0 B
`website/.docusaurus/site-metadata.json`	2.54 kB	0 B
`website/build/assets/css/styles.********.css`	146 kB	0 B
`website/build/assets/js/main.********.js`	742 kB	0 B
`website/build/assets/js/runtime~main.********.js`	39.3 kB	0 B
`website/build/blog.html`	77.1 kB	0 B
`website/build/blog/2017/12/14/introducing-docusaurus.html`	65.5 kB	0 B
`website/build/blog/2018/04/30/How-I-Converted-Profilo-To-Docusaurus.html`	44.8 kB	0 B
`website/build/blog/2018/09/11/Towards-Docusaurus-2.html`	49.2 kB	0 B
`website/build/blog/2018/12/14/Happy-First-Birthday-Slash.html`	29 kB	0 B
`website/build/blog/2019/12/30/docusaurus-2019-recap.html`	40 kB	0 B
`website/build/blog/2020/01/07/tribute-to-endi.html`	32.6 kB	0 B
`website/build/blog/2021/01/19/docusaurus-2020-recap.html`	51.4 kB	0 B
`website/build/blog/2021/03/09/releasing-docusaurus-i18n.html`	47.4 kB	0 B
`website/build/blog/2021/05/12/announcing-docusaurus-two-beta.html`	48 kB	0 B
`website/build/blog/2021/11/21/algolia-docsearch-migration.html`	54.2 kB	0 B
`website/build/blog/2022/01/24/docusaurus-2021-recap.html`	43.3 kB	0 B
`website/build/blog/2022/08/01/announcing-docusaurus-2.0.html`	133 kB	0 B
`website/build/blog/2022/09/01/docusaurus-2.1.html`	50.1 kB	0 B
`website/build/blog/archive.html`	23.5 kB	0 B
`website/build/blog/authors.html`	50.3 kB	0 B
`website/build/blog/authors/j-marcey.html`	70.2 kB	0 B
`website/build/blog/authors/josh-cena.html`	46.7 kB	0 B
`website/build/blog/authors/lex-111.html`	55.5 kB	0 B
`website/build/blog/authors/slorber.html`	80.6 kB	0 B
`website/build/blog/authors/slorber/page/2.html`	80.7 kB	0 B
`website/build/blog/authors/slorber/page/3.html`	82.9 kB	0 B
`website/build/blog/authors/slorber/page/4.html`	97.4 kB	0 B
`website/build/blog/authors/slorber/page/5.html`	42.2 kB	0 B
`website/build/blog/authors/yangshun.html`	66.1 kB	0 B
`website/build/blog/authors/zpao.html`	47.2 kB	0 B
`website/build/blog/page/2.html`	77.2 kB	0 B
`website/build/blog/page/3.html`	80.2 kB	0 B
`website/build/blog/page/4.html`	87.5 kB	0 B
`website/build/blog/page/5.html`	62.4 kB	0 B
`website/build/blog/page/6.html`	38 kB	0 B
`website/build/blog/preparing-your-site-for-docusaurus-v3.html`	125 kB	0 B
`website/build/blog/releases/2.2.html`	50.3 kB	0 B
`website/build/blog/releases/2.3.html`	60.6 kB	0 B
`website/build/blog/releases/2.4.html`	64.1 kB	0 B
`website/build/blog/releases/3.0.html`	105 kB	0 B
`website/build/blog/releases/3.1.html`	53.1 kB	0 B
`website/build/blog/releases/3.2.html`	48.9 kB	0 B
`website/build/blog/releases/3.3.html`	56 kB	0 B
`website/build/blog/releases/3.4.html`	55.1 kB	0 B
`website/build/blog/releases/3.5.html`	57.8 kB	0 B
`website/build/blog/releases/3.6.html`	76 kB	0 B
`website/build/blog/releases/3.7.html`	50.6 kB	0 B
`website/build/blog/releases/3.8.html`	85.4 kB	0 B
`website/build/blog/releases/3.9.html`	60.4 kB	0 B
`website/build/blog/tags.html`	27.2 kB	0 B
`website/build/blog/upgrading-frontend-dependencies-with-confidence-using-visual-regression-testing.html`	123 kB	0 B
`website/build/docs.html`	48.4 kB	0 B
`website/build/docs/advanced.html`	30.9 kB	-1 B (0%)
`website/build/docs/advanced/architecture.html`	29.5 kB	+3 B (+0.01%)
`website/build/docs/advanced/client.html`	68.5 kB	0 B
`website/build/docs/advanced/plugins.html`	54 kB	0 B
`website/build/docs/advanced/routing.html`	69 kB	0 B
`website/build/docs/advanced/ssg.html`	73.1 kB	0 B
`website/build/docs/api/docusaurus-config.html`	230 kB	-1 B (0%)
`website/build/docs/api/misc/@docusaurus/eslint-plugin.html`	44.3 kB	0 B
`website/build/docs/api/misc/@docusaurus/eslint-plugin/no-html-links.html`	35.8 kB	0 B
`website/build/docs/api/misc/@docusaurus/eslint-plugin/no-untranslated-text.html`	34.8 kB	0 B
`website/build/docs/api/misc/@docusaurus/eslint-plugin/prefer-docusaurus-heading.html`	36 kB	0 B
`website/build/docs/api/misc/@docusaurus/eslint-plugin/string-literal-i18n-messages.html`	39.6 kB	0 B
`website/build/docs/api/misc/@docusaurus/logger.html`	38.2 kB	0 B
`website/build/docs/api/misc/create-docusaurus.html`	33.3 kB	0 B
`website/build/docs/api/misc/docusaurus-init/index.html`	361 B	0 B
`website/build/docs/api/plugin-methods.html`	61.2 kB	+8 B (+0.01%)
`website/build/docs/api/plugin-methods/extend-infrastructure.html`	58.1 kB	0 B
`website/build/docs/api/plugin-methods/i18n-lifecycles.html`	56.5 kB	0 B
`website/build/docs/api/plugin-methods/lifecycle-apis.html`	157 kB	0 B
`website/build/docs/api/plugin-methods/static-methods.html`	43.9 kB	0 B
`website/build/docs/api/plugins.html`	32.5 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-client-redirects.html`	58.9 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-content-blog.html`	182 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-content-docs.html`	189 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-content-pages.html`	73.5 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-css-cascade-layers.html`	46.8 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-debug.html`	47.4 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-google-analytics.html`	48.9 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-google-gtag.html`	48.4 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-google-tag-manager.html`	47.2 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-ideal-image.html`	51.1 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-pwa.html`	115 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-rsdoctor.html`	40.1 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-sitemap.html`	64.7 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-svgr.html`	45.1 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-vercel-analytics.html`	40.4 kB	0 B
`website/build/docs/api/themes.html`	29.4 kB	0 B
`website/build/docs/api/themes/@docusaurus/theme-classic.html`	42.6 kB	0 B
`website/build/docs/api/themes/@docusaurus/theme-live-codeblock.html`	35.8 kB	0 B
`website/build/docs/api/themes/@docusaurus/theme-mermaid.html`	34.6 kB	0 B
`website/build/docs/api/themes/@docusaurus/theme-search-algolia.html`	32.5 kB	-1 B (0%)
`website/build/docs/api/themes/configuration.html`	246 kB	0 B
`website/build/docs/blog.html`	198 kB	0 B
`website/build/docs/browser-support.html`	46.8 kB	0 B
`website/build/docs/category/getting-started.html`	27.7 kB	0 B
`website/build/docs/category/guides.html`	38.1 kB	0 B
`website/build/docs/category/miscellaneous.html`	27.5 kB	0 B
`website/build/docs/cli.html`	59.2 kB	0 B
`website/build/docs/configuration.html`	90.1 kB	0 B
`website/build/docs/create-doc.html`	60.3 kB	0 B
`website/build/docs/creating-pages.html`	56 kB	0 B
`website/build/docs/deployment.html`	210 kB	0 B
`website/build/docs/docs-introduction.html`	49.6 kB	0 B
`website/build/docs/docs-multi-instance.html`	72 kB	0 B
`website/build/docs/docusaurus-core.html`	219 kB	0 B
`website/build/docs/guides/whats-next.html`	32.2 kB	-1 B (0%)
`website/build/docs/i18n/crowdin.html`	141 kB	0 B
`website/build/docs/i18n/git.html`	75.4 kB	0 B
`website/build/docs/i18n/introduction.html`	48.4 kB	0 B
`website/build/docs/i18n/tutorial.html`	161 kB	0 B
`website/build/docs/installation.html`	63.3 kB	0 B
`website/build/docs/introduction/index.html`	280 B	0 B
`website/build/docs/markdown-features.html`	78.5 kB	0 B
`website/build/docs/markdown-features/admonitions.html`	115 kB	0 B
`website/build/docs/markdown-features/assets.html`	84.9 kB	0 B
`website/build/docs/markdown-features/code-blocks.html`	214 kB	0 B
`website/build/docs/markdown-features/diagrams.html`	53.8 kB	0 B
`website/build/docs/markdown-features/head-metadata.html`	50.2 kB	0 B
`website/build/docs/markdown-features/links.html`	40.3 kB	0 B
`website/build/docs/markdown-features/math-equations.html`	89.5 kB	0 B
`website/build/docs/markdown-features/plugins.html`	93.8 kB	0 B
`website/build/docs/markdown-features/react.html`	130 kB	0 B
`website/build/docs/markdown-features/tabs.html`	137 kB	0 B
`website/build/docs/markdown-features/toc.html`	85.2 kB	0 B
`website/build/docs/migration.html`	38.5 kB	0 B
`website/build/docs/migration/v2.html`	38.9 kB	0 B
`website/build/docs/migration/v2/automated.html`	39.3 kB	0 B
`website/build/docs/migration/v2/manual.html`	185 kB	0 B
`website/build/docs/migration/v2/translated-sites.html`	50.1 kB	0 B
`website/build/docs/migration/v2/versioned-sites.html`	58.9 kB	0 B
`website/build/docs/migration/v3.html`	187 kB	0 B
`website/build/docs/playground.html`	31.1 kB	-1 B (0%)
`website/build/docs/resources/index.html`	325 B	0 B
`website/build/docs/search.html`	121 kB	0 B
`website/build/docs/seo.html`	86.3 kB	0 B
`website/build/docs/sidebar.html`	133 kB	0 B
`website/build/docs/sidebar/autogenerated.html`	143 kB	0 B
`website/build/docs/sidebar/items.html`	171 kB	0 B
`website/build/docs/sidebar/multiple-sidebars.html`	60.8 kB	0 B
`website/build/docs/static-assets.html`	50.9 kB	0 B
`website/build/docs/styling-layout.html`	136 kB	0 B
`website/build/docs/support/index.html`	319 B	0 B
`website/build/docs/swizzling.html`	109 kB	0 B
`website/build/docs/team/index.html`	310 B	0 B
`website/build/docs/typescript-support.html`	58.9 kB	0 B
`website/build/docs/using-plugins.html`	104 kB	0 B
`website/build/docs/versioning.html`	89.8 kB	0 B
`website/build/index.html`	35.5 kB	0 B

_{compressed-size-action::DOCUSAURUS_INFRA_FASTER}

github-actions · 2026-04-02T09:49:11Z

⚡️ Lighthouse report for the deploy preview of this PR

URL	Performance	Accessibility	Best Practices	SEO	Report
/	🟠 69	🟢 98	🟢 100	🟢 100	Report
/docs/installation	🟠 65	🟢 97	🟢 100	🟢 100	Report
/docs/category/getting-started	🟠 68	🟢 100	🟢 100	🟠 86	Report
/blog	🟠 66	🟢 96	🟢 100	🟠 86	Report
/blog/preparing-your-site-for-docusaurus-v3	🟠 64	🟢 92	🟢 100	🟢 100	Report
/blog/tags/release	🟠 69	🟢 96	🟢 100	🟠 86	Report
/blog/tags	🟠 69	🟢 100	🟢 100	🟠 86	Report

github-actions · 2026-04-02T09:52:11Z

Size Change: 0 B

Total Size: 12.3 MB

ℹ️ View Unchanged

Filename	Size	Change
`website/.docusaurus/codeTranslations.json`	2 B	0 B
`website/.docusaurus/docusaurus.config.mjs`	29 kB	0 B
`website/.docusaurus/globalData.json`	38.7 kB	0 B
`website/.docusaurus/i18n.json`	1.36 kB	0 B
`website/.docusaurus/registry.js`	178 kB	0 B
`website/.docusaurus/routes.js`	88.6 kB	0 B
`website/.docusaurus/routesChunkNames.json`	92.4 kB	0 B
`website/.docusaurus/site-metadata.json`	2.38 kB	0 B
`website/build/assets/css/styles.********.css`	138 kB	0 B
`website/build/assets/js/main.********.js`	744 kB	0 B
`website/build/assets/js/runtime~main.********.js`	38.9 kB	0 B
`website/build/blog.html`	79.8 kB	0 B
`website/build/blog/2017/12/14/introducing-docusaurus.html`	67.6 kB	0 B
`website/build/blog/2018/04/30/How-I-Converted-Profilo-To-Docusaurus.html`	46.7 kB	0 B
`website/build/blog/2018/09/11/Towards-Docusaurus-2.html`	51.2 kB	0 B
`website/build/blog/2018/12/14/Happy-First-Birthday-Slash.html`	30.6 kB	0 B
`website/build/blog/2019/12/30/docusaurus-2019-recap.html`	41.9 kB	0 B
`website/build/blog/2020/01/07/tribute-to-endi.html`	34.2 kB	0 B
`website/build/blog/2021/01/19/docusaurus-2020-recap.html`	53.5 kB	0 B
`website/build/blog/2021/03/09/releasing-docusaurus-i18n.html`	49.4 kB	0 B
`website/build/blog/2021/05/12/announcing-docusaurus-two-beta.html`	50.1 kB	0 B
`website/build/blog/2021/11/21/algolia-docsearch-migration.html`	56.5 kB	0 B
`website/build/blog/2022/01/24/docusaurus-2021-recap.html`	45.3 kB	0 B
`website/build/blog/2022/08/01/announcing-docusaurus-2.0.html`	137 kB	0 B
`website/build/blog/2022/09/01/docusaurus-2.1.html`	52.4 kB	0 B
`website/build/blog/archive.html`	24.9 kB	0 B
`website/build/blog/authors.html`	52.5 kB	0 B
`website/build/blog/authors/j-marcey.html`	72.8 kB	0 B
`website/build/blog/authors/josh-cena.html`	48.8 kB	0 B
`website/build/blog/authors/lex-111.html`	57.9 kB	0 B
`website/build/blog/authors/slorber.html`	83.5 kB	0 B
`website/build/blog/authors/slorber/page/2.html`	83.6 kB	0 B
`website/build/blog/authors/slorber/page/3.html`	85.9 kB	0 B
`website/build/blog/authors/slorber/page/4.html`	101 kB	0 B
`website/build/blog/authors/slorber/page/5.html`	44.2 kB	0 B
`website/build/blog/authors/yangshun.html`	68.8 kB	0 B
`website/build/blog/authors/zpao.html`	49.3 kB	0 B
`website/build/blog/page/2.html`	80 kB	0 B
`website/build/blog/page/3.html`	82.9 kB	0 B
`website/build/blog/page/4.html`	90.5 kB	0 B
`website/build/blog/page/5.html`	64.8 kB	0 B
`website/build/blog/page/6.html`	39.7 kB	0 B
`website/build/blog/preparing-your-site-for-docusaurus-v3.html`	130 kB	0 B
`website/build/blog/releases/2.2.html`	52.5 kB	0 B
`website/build/blog/releases/2.3.html`	63.1 kB	0 B
`website/build/blog/releases/2.4.html`	66.8 kB	0 B
`website/build/blog/releases/3.0.html`	110 kB	0 B
`website/build/blog/releases/3.1.html`	55.2 kB	0 B
`website/build/blog/releases/3.2.html`	51 kB	0 B
`website/build/blog/releases/3.3.html`	58.3 kB	0 B
`website/build/blog/releases/3.4.html`	57.4 kB	0 B
`website/build/blog/releases/3.5.html`	60.2 kB	0 B
`website/build/blog/releases/3.6.html`	79 kB	0 B
`website/build/blog/releases/3.7.html`	52.9 kB	0 B
`website/build/blog/releases/3.8.html`	88.6 kB	0 B
`website/build/blog/releases/3.9.html`	62.9 kB	0 B
`website/build/blog/tags.html`	28.9 kB	0 B
`website/build/blog/upgrading-frontend-dependencies-with-confidence-using-visual-regression-testing.html`	127 kB	0 B
`website/build/docs.html`	50.3 kB	0 B
`website/build/docs/advanced.html`	32.4 kB	-1 B (0%)
`website/build/docs/advanced/architecture.html`	31 kB	+3 B (+0.01%)
`website/build/docs/advanced/client.html`	71.2 kB	0 B
`website/build/docs/advanced/plugins.html`	56.2 kB	0 B
`website/build/docs/advanced/routing.html`	71.6 kB	0 B
`website/build/docs/advanced/ssg.html`	76.2 kB	0 B
`website/build/docs/api/docusaurus-config.html`	238 kB	-1 B (0%)
`website/build/docs/api/misc/@docusaurus/eslint-plugin.html`	46.5 kB	0 B
`website/build/docs/api/misc/@docusaurus/eslint-plugin/no-html-links.html`	37.6 kB	0 B
`website/build/docs/api/misc/@docusaurus/eslint-plugin/no-untranslated-text.html`	36.6 kB	0 B
`website/build/docs/api/misc/@docusaurus/eslint-plugin/prefer-docusaurus-heading.html`	37.8 kB	0 B
`website/build/docs/api/misc/@docusaurus/eslint-plugin/string-literal-i18n-messages.html`	41.5 kB	0 B
`website/build/docs/api/misc/@docusaurus/logger.html`	39.9 kB	0 B
`website/build/docs/api/misc/create-docusaurus.html`	34.9 kB	0 B
`website/build/docs/api/misc/docusaurus-init/index.html`	361 B	0 B
`website/build/docs/api/plugin-methods.html`	63.6 kB	+8 B (+0.01%)
`website/build/docs/api/plugin-methods/extend-infrastructure.html`	60.4 kB	0 B
`website/build/docs/api/plugin-methods/i18n-lifecycles.html`	58.7 kB	0 B
`website/build/docs/api/plugin-methods/lifecycle-apis.html`	163 kB	0 B
`website/build/docs/api/plugin-methods/static-methods.html`	45.8 kB	0 B
`website/build/docs/api/plugins.html`	34.1 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-client-redirects.html`	61.7 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-content-blog.html`	190 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-content-docs.html`	196 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-content-pages.html`	77.1 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-css-cascade-layers.html`	49 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-debug.html`	49.6 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-google-analytics.html`	51.2 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-google-gtag.html`	50.7 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-google-tag-manager.html`	49.5 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-ideal-image.html`	53.6 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-pwa.html`	120 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-rsdoctor.html`	42.1 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-sitemap.html`	67.6 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-svgr.html`	47.2 kB	0 B
`website/build/docs/api/plugins/@docusaurus/plugin-vercel-analytics.html`	42.5 kB	0 B
`website/build/docs/api/themes.html`	30.9 kB	0 B
`website/build/docs/api/themes/@docusaurus/theme-classic.html`	44.7 kB	0 B
`website/build/docs/api/themes/@docusaurus/theme-live-codeblock.html`	37.6 kB	0 B
`website/build/docs/api/themes/@docusaurus/theme-mermaid.html`	36.3 kB	0 B
`website/build/docs/api/themes/@docusaurus/theme-search-algolia.html`	34.1 kB	-1 B (0%)
`website/build/docs/api/themes/configuration.html`	258 kB	0 B
`website/build/docs/blog.html`	204 kB	0 B
`website/build/docs/browser-support.html`	49 kB	0 B
`website/build/docs/category/getting-started.html`	29.1 kB	0 B
`website/build/docs/category/guides.html`	39.8 kB	0 B
`website/build/docs/category/miscellaneous.html`	28.9 kB	0 B
`website/build/docs/cli.html`	62.7 kB	0 B
`website/build/docs/configuration.html`	93.6 kB	0 B
`website/build/docs/create-doc.html`	62.7 kB	0 B
`website/build/docs/creating-pages.html`	58.4 kB	0 B
`website/build/docs/deployment.html`	218 kB	0 B
`website/build/docs/docs-introduction.html`	51.8 kB	0 B
`website/build/docs/docs-multi-instance.html`	75.2 kB	0 B
`website/build/docs/docusaurus-core.html`	227 kB	0 B
`website/build/docs/guides/whats-next.html`	34 kB	-1 B (0%)
`website/build/docs/i18n/crowdin.html`	146 kB	0 B
`website/build/docs/i18n/git.html`	78.6 kB	0 B
`website/build/docs/i18n/introduction.html`	50.6 kB	0 B
`website/build/docs/i18n/tutorial.html`	168 kB	0 B
`website/build/docs/installation.html`	65.9 kB	0 B
`website/build/docs/introduction/index.html`	280 B	0 B
`website/build/docs/markdown-features.html`	81.4 kB	0 B
`website/build/docs/markdown-features/admonitions.html`	119 kB	0 B
`website/build/docs/markdown-features/assets.html`	88.8 kB	0 B
`website/build/docs/markdown-features/code-blocks.html`	222 kB	0 B
`website/build/docs/markdown-features/diagrams.html`	56.3 kB	0 B
`website/build/docs/markdown-features/head-metadata.html`	52.5 kB	0 B
`website/build/docs/markdown-features/links.html`	42.3 kB	0 B
`website/build/docs/markdown-features/math-equations.html`	93.4 kB	0 B
`website/build/docs/markdown-features/plugins.html`	97.5 kB	0 B
`website/build/docs/markdown-features/react.html`	136 kB	0 B
`website/build/docs/markdown-features/tabs.html`	143 kB	0 B
`website/build/docs/markdown-features/toc.html`	88.7 kB	0 B
`website/build/docs/migration.html`	40.4 kB	0 B
`website/build/docs/migration/v2.html`	40.7 kB	0 B
`website/build/docs/migration/v2/automated.html`	41.2 kB	0 B
`website/build/docs/migration/v2/manual.html`	192 kB	0 B
`website/build/docs/migration/v2/translated-sites.html`	52.3 kB	0 B
`website/build/docs/migration/v2/versioned-sites.html`	61.2 kB	0 B
`website/build/docs/migration/v3.html`	194 kB	0 B
`website/build/docs/playground.html`	32.6 kB	-1 B (0%)
`website/build/docs/resources/index.html`	325 B	0 B
`website/build/docs/search.html`	125 kB	0 B
`website/build/docs/seo.html`	90.1 kB	0 B
`website/build/docs/sidebar.html`	139 kB	0 B
`website/build/docs/sidebar/autogenerated.html`	148 kB	0 B
`website/build/docs/sidebar/items.html`	177 kB	0 B
`website/build/docs/sidebar/multiple-sidebars.html`	63.7 kB	0 B
`website/build/docs/static-assets.html`	53.2 kB	0 B
`website/build/docs/styling-layout.html`	141 kB	0 B
`website/build/docs/support/index.html`	319 B	0 B
`website/build/docs/swizzling.html`	113 kB	0 B
`website/build/docs/team/index.html`	310 B	0 B
`website/build/docs/typescript-support.html`	61.4 kB	0 B
`website/build/docs/using-plugins.html`	108 kB	0 B
`website/build/docs/versioning.html`	93.6 kB	0 B
`website/build/index.html`	37.1 kB	0 B

_{compressed-size-action::DOCUSAURUS_INFRA_SLOWER}

socket-security · 2026-04-02T10:35:21Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: npm `entities` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@docusaurus/core@3.9.2` → `npm/entities@4.5.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/entities@4.5.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `entities` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@docusaurus/core@3.9.2` → `npm/entities@6.0.1` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/entities@6.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

CI should use yarn install --frozen-lockfile

81a28ef

slorber added the pr: maintenance This PR does not produce any behavior differences to end users when upgrading. label Apr 2, 2026

meta-cla bot added the CLA Signed Signed Facebook CLA label Apr 2, 2026

replace npx pkg-pr-new with pinned dependency graph

efda90f

slorber added 5 commits April 2, 2026 12:42

use yarn playwright instead of npx

cd4f112

add dependabot cooldown

b8ce4d9

improve cooldown comment

01ec126

restore Dependabot updates with cooldown + improve comments

7bf4408

Exclude "examples/**" from dependabot updates

c7eb2a1

slorber changed the title ~~chore(ci): improve supply chain security on GitHub actions~~ chore(ci): improve CI security - Reduce npm supply chain risk, improve Dependabot config Apr 2, 2026

slorber added 12 commits April 2, 2026 14:03

Add CI workflow using SFW

6561dcb

empty

e9053dd

Forbid lifecycle scripts by default in template?

f2b9d21

use pnpm security options to prevent suspicious lifecycles

b4ead26

use pnpm security options to prevent suspicious lifecycles

900536c

use pnpm security options to prevent suspicious lifecycles

f22338a

use pnpm security options to prevent suspicious lifecycles

4098029

use pnpm security options to prevent suspicious lifecycles

763713f

use pnpm security options to prevent suspicious lifecycles

aae962e

use pnpm security options to prevent suspicious lifecycles

d42b6ae

move lockfile-lint to the security workflow

78072e8

pin sfw version

cfe14fc

slorber marked this pull request as ready for review April 2, 2026 15:37

slorber requested a review from Josh-Cena as a code owner April 2, 2026 15:37

Trigger the workflow daily automatically

d65de74

slorber added pr: new feature This PR adds a new API or behavior. and removed pr: maintenance This PR does not produce any behavior differences to end users when upgrading. labels Apr 2, 2026

slorber changed the title ~~chore(ci): improve CI security - Reduce npm supply chain risk, improve Dependabot config~~ feat(ci): improve npm supply chain security - improve Dependabot config Apr 2, 2026

slorber merged commit 4d1a0ce into main Apr 2, 2026
42 checks passed

slorber deleted the slorber/improve-ci-security branch April 2, 2026 16:21

This was referenced Apr 2, 2026

fix dependabot error #11879

Merged

feat: detect provenance regression, such as the axios march 2026 incident lirantal/npq#414

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(ci): improve npm supply chain security - improve Dependabot config#11874

feat(ci): improve npm supply chain security - improve Dependabot config#11874
slorber merged 20 commits intomainfrom
slorber/improve-ci-security

slorber commented Apr 2, 2026 •

edited

Loading

Uh oh!

socket-security bot commented Apr 2, 2026 •

edited

Loading

Uh oh!

netlify bot commented Apr 2, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Apr 2, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Apr 2, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Apr 2, 2026 •

edited

Loading

Uh oh!

socket-security bot commented Apr 2, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

slorber commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Motivation

Test Plan

Test links

Uh oh!

socket-security bot commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

netlify bot commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ [V2]

Uh oh!

github-actions bot commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚡️ Lighthouse report for the deploy preview of this PR

Uh oh!

github-actions bot commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

slorber commented Apr 2, 2026 •

edited

Loading

socket-security bot commented Apr 2, 2026 •

edited

Loading

netlify bot commented Apr 2, 2026 •

edited

Loading

github-actions bot commented Apr 2, 2026 •

edited

Loading

github-actions bot commented Apr 2, 2026 •

edited

Loading

github-actions bot commented Apr 2, 2026 •

edited

Loading

socket-security bot commented Apr 2, 2026 •

edited

Loading