pnpm-upgrade
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Automated Toolchain Maintenance: The skill performs updates to the pnpm package manager using official commands like pnpm self-update and corepack. These are standard procedures for keeping development tools up to date.
- External API Interaction: It queries the GitHub API to retrieve the latest release tags for the pnpm/action-setup repository. This is a common and legitimate use of public APIs for version tracking.
- Workflow Hardening: A notable security-positive feature is the requirement to resolve release tags to immutable commit SHAs. This practice helps protect CI/CD pipelines against potential supply chain issues where tags might be moved to different commits.
- Controlled File Edits: The instructions prioritize minimal, specific edits to package.json and workflow files over broad search-and-replace operations, reducing the risk of accidental configuration errors.
Audit Metadata