cryptomator · infeo · May 7, 2026 · May 7, 2026 · May 7, 2026 · May 7, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -19,6 +19,21 @@ updates:
       - dependency-name: "io.quarkus:*"
         update-types: ["version-update:semver-major", "version-update:semver-minor"]
 
+  - package-ecosystem: "npm"
+    directory: "/frontend"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 3
+    groups:
+      minor-and-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+
   - package-ecosystem: "github-actions"
     directory: "/" # even for `.github/workflows`
     schedule:

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -21,20 +21,26 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        with:
+          package_json_file: frontend/package.json
+      - name: Check lockfile integrity
+        working-directory: frontend
+        run: bash scripts/check-lockfile.sh
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: ${{ env.NODE_VERSION }}
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
-      - name: NPM install
+          cache: 'pnpm'
+          cache-dependency-path: frontend/pnpm-lock.yaml
+      - name: pnpm install
         working-directory: frontend
-        run: npm ci --ignore-scripts
+        run: pnpm install --frozen-lockfile
       - name: Build and test frontend
         working-directory: frontend
-        run: npm run test:coverage
+        run: pnpm run test:coverage
       - name: Deploy frontend
         working-directory: frontend
-        run: npm run dist
+        run: pnpm run dist
       - name: SonarCloud Scan Frontend
         uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0
         with:
@@ -96,17 +102,23 @@ jobs:
       packages: write # Required for pushing the image to GHCR
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        with:
+          package_json_file: frontend/package.json
+      - name: Check lockfile integrity
+        working-directory: frontend
+        run: bash scripts/check-lockfile.sh
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: ${{ env.NODE_VERSION }}
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
-      - name: NPM install
+          cache: 'pnpm'
+          cache-dependency-path: frontend/pnpm-lock.yaml
+      - name: pnpm install
         working-directory: frontend
-        run: npm ci --ignore-scripts
+        run: pnpm install --frozen-lockfile
       - name: Deploy frontend
         working-directory: frontend
-        run: npm run dist
+        run: pnpm run dist
       - name: Ensure to use tagged version
         working-directory: backend
         run: ./mvnw versions:set --file pom.xml -DnewVersion=${GITHUB_REF##*/}

diff --git a/.github/workflows/keycloak.yml b/.github/workflows/keycloak.yml
@@ -26,17 +26,23 @@ jobs:
       packages: write # Required for pushing the image to GHCR
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        with:
+          package_json_file: keycloak/themes/cryptomator/common/resources/package.json
+      - name: Check lockfile integrity
+        working-directory: keycloak/themes/cryptomator/common/resources
+        run: bash scripts/check-lockfile.sh
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: ${{ env.NODE_VERSION }}
-          cache: 'npm'
-          cache-dependency-path: keycloak/themes/cryptomator/common/resources/package-lock.json
+          cache: 'pnpm'
+          cache-dependency-path: keycloak/themes/cryptomator/common/resources/pnpm-lock.yaml
       - name: Install Dependencies
         working-directory: keycloak/themes/cryptomator/common/resources
-        run: npm install
+        run: pnpm install --frozen-lockfile
       - name: Build Theme
         working-directory: keycloak/themes/cryptomator/common/resources
-        run: npm run build
+        run: pnpm run build
       - name: Set up QEMU
         uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - name: Set up Docker Buildx

diff --git a/frontend/.gitignore b/frontend/.gitignore
@@ -5,4 +5,5 @@ dist-ssr
 .DS_Store
 *.local
 .nyc_output/
-coverage/
+coverage/
+package-lock.json
diff --git a/frontend/README.md b/frontend/README.md
@@ -2,24 +2,52 @@
 
 This project uses Vue 3 + Typescript + Vite.
 
-## Recommended IDE Setup
-
-- [VSCode](https://code.visualstudio.com/) + [Volar](https://marketplace.visualstudio.com/items?itemName=johnsoncodehk.volar)
-
 ## Dev Mode
 
 You can run your application in dev mode that enables live coding using:
 
 ```shell script
-npm install
-npm run dev
+pnpm install
+pnpm dev
 ```
 
 ## Production Build
 
 To build an optimized (production) version of the app, run:
 
 ```shell script
-npm install
-npm run dist
+pnpm install
+pnpm dist
+```
+
+## Recommended IDE Setup
+
+- [VSCode](https://code.visualstudio.com/) + [Volar](https://marketplace.visualstudio.com/items?itemName=johnsoncodehk.volar)
+
+## Package Manager
+
+This project uses [pnpm](https://pnpm.io/). The version is pinned via the
+`packageManager` field in `package.json` and managed by Corepack:
+
+```shell script
+corepack enable
 ```
+
+Do not use `npm` or `yarn` — they bypass the security gates configured in
+`pnpm-workspace.yaml` (lifecycle script allowlist, install cooldown,
+non-registry source blocking).
+
+### Install Cooldown
+
+When adding a brand-new dependency or upgrading to a freshly published
+version, pnpm will resolve to the most recent version older than the
+3 days. If the very latest version is required (e.g. a
+critical security fix), add the package to `minimumReleaseAgeExclude` in
+`pnpm-workspace.yaml`.
+
+### Dependency Upgrades
+
+Don't run `pnpm up --latest` on the default branch. Routine bumps land
+through Dependabot (monthly grouped minor/patch PRs, configured in
+`.github/dependabot.yml`). For an out-of-cycle upgrade, open a PR with
+explicit version pins in `package.json` so the change is reviewable.