Feature: Improve developer security

.github/CONTRIBUTING.md

@@ -6,8 +6,9 @@ Thank you for helping improve Cryptomator's documentation!
 
 1. Fork the repository
 2. Clone your fork: `git clone <your-fork-url>`
-3. Install dependencies: `npm install`
-4. Start development server: `npm start`
+3. Enable Corepack so the pinned pnpm version is used: `corepack enable`
+4. Install dependencies: `pnpm install`
+5. Start development server: `pnpm start`
 
 ## Making Changes
 
@@ -34,6 +35,24 @@ We follow git flow for contributions:
 - Break up long sections with headings and lists
 - Link to related documentation when relevant
 
+## Adding or upgrading dependencies
+
+`pnpm-workspace.yaml` sets `minimumReleaseAge: 4320` (3 days). pnpm
+will refuse to resolve any package version younger than that — most
+malicious releases are detected and unpublished within hours, so the
+delay protects us at near-zero cost.
+
+If you genuinely need a fresh release sooner (e.g. a security fix
+just published), add the specific package/version to
+`minimumReleaseAgeExclude` in `pnpm-workspace.yaml` and call it out
+in the PR description.
+
+Routine upgrades land via Dependabot (configured in
+`.github/dependabot.yml`), which opens monthly grouped PRs for npm
+dependencies and GitHub Actions. Please don't run `pnpm up --latest`
+on the default branch — review the Dependabot PR instead, or open a
+PR with explicit version pins and a changelog link.
+
 ## Code of Conduct
 
 Help us keep Cryptomator open and inclusive. Please read and follow our [Code of Conduct](CODE_OF_CONDUCT.md).

.github/dependabot.yml

@@ -0,0 +1,38 @@
+version: 2
+
+# Reviewed dependency upgrades. Replaces ad-hoc `pnpm up --latest` with
+# Dependabot PRs that go through normal review.
+#
+# - npm ecosystem covers pnpm-lock.yaml (Dependabot understands pnpm).
+# - github-actions ecosystem covers third-party actions in workflows;
+#   they are part of the same supply chain and need the same review.
+# - cooldown.default-days mirrors pnpm-workspace.yaml `minimumReleaseAge`
+#   (3 days) so Dependabot does not propose a version pnpm would refuse
+#   to install.
+
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 3
+    groups:
+      minor-and-patch:
+        update-types:
+          - minor
+          - patch
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 3
+    groups:
+      minor-and-patch:
+        update-types:
+          - minor
+          - patch

.github/workflows/deploy.yml

@@ -15,22 +15,26 @@ jobs:
         uses: actions/checkout@v4
       - name: Setup Pages
         uses: actions/configure-pages@v5
+      - name: Verify lockfile has no non-registry sources
+        run: scripts/check-lockfile.sh
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
-          cache: 'npm'
+          cache: 'pnpm'
       - name: Install dependencies
-        run: npm ci
+        run: pnpm install --frozen-lockfile
       - name: Build production
-        run: npm run build
+        run: pnpm run build
       - name: Upload Prod Pages artifact
         uses: actions/upload-pages-artifact@v3
         with:
           name: prod-site
           path: './build'
       - name: Build staging
-        run: npm run build
+        run: pnpm run build
         env:
           SITE_URL: https://docs.staging.cryptomator.org
       - name: Add robots.txt for staging

.gitignore

@@ -1,5 +1,6 @@
 # Dependencies
 /node_modules
+package-lock.json
 
 # Production
 /build

README.md

@@ -8,12 +8,16 @@ We welcome contributions! Please read our [contributing guidelines](.github/CONT
 
 ## Quick Start
 
+This repo uses [pnpm](https://pnpm.io/) (pinned via `packageManager` in
+`package.json`). The easiest way to get a matching version is to enable
+[Corepack](https://nodejs.org/api/corepack.html): `corepack enable`.
+
 ```bash
-npm install
-npm start
+pnpm install
+pnpm start
 ```
 
-Opens dev server at `http://localhost:3000` with live reload.
+Opens dev server at `http://localhost:8000` with live reload.
 
 ## Structure
 
@@ -27,8 +31,8 @@ Opens dev server at `http://localhost:3000` with live reload.
 ## Scripts
 
 ```bash
-npm run build # Build static site
-npm run serve # Serve built site locally
+pnpm build # Build static site
+pnpm serve # Serve built site locally
 ```
 
 Other scripts can be found in `package.json`.