[pull] main from facebook:main

.github/dependabot.yml

@@ -1,18 +1,29 @@
 version: 2
 updates:
+  ########################
+  # GITHUB ACTIONS UPDATES
   - package-ecosystem: github-actions
     directory: '/'
     schedule:
       interval: weekly
     open-pull-requests-limit: 99
     labels:
       - 'pr: dependencies'
+
+  ########################
+  # NPM VERSION UPDATES
   - package-ecosystem: 'npm'
     directory: '/'
+    exclude-paths:
+      - 'examples/**'
     schedule:
-      interval: 'daily'
-    # Disable version updates for npm dependencies
-    # https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file
-    open-pull-requests-limit: 0
+      interval: 'weekly'
+    # Do not spam too much, we'll adjust this setting if needed
+    open-pull-requests-limit: 5
     labels:
       - 'pr: dependencies'
+    cooldown:
+      default-days: 5
+      semver-major-days: 30
+      semver-minor-days: 7
+      semver-patch-days: 7

.github/workflows/argos.yml

@@ -36,10 +36,10 @@ jobs:
           cache: yarn
 
       - name: Install dependencies
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
 
       - name: Install Playwright browsers
-        run: npx playwright install --with-deps chromium
+        run: yarn playwright install --with-deps chromium
 
       - name: Build website fast
         run: yarn argos:build

.github/workflows/build-blog-only.yml

@@ -29,7 +29,7 @@ jobs:
           node-version: lts/*
           cache: yarn
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
       - name: Build blog-only
         run: yarn workspace website build:blogOnly
         env:

.github/workflows/build-hash-router.yml

@@ -32,7 +32,7 @@ jobs:
           node-version: lts/*
           cache: yarn
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
 
       - name: Build Hash Router
         run: yarn build:website:fast

.github/workflows/build-perf.yml

@@ -81,7 +81,7 @@ jobs:
           node-version: lts/*
           cache: yarn
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
 
       # Ensure build with a cold cache does not increase too much
       - name: Build (cold cache)

.github/workflows/continuous-releases.yml

@@ -27,7 +27,7 @@ jobs:
           cache: yarn
 
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
 
       - name: Build packages
         run: yarn build:packages
@@ -38,4 +38,4 @@ jobs:
           yarn create-docusaurus template/docusaurus-classic-ts classic --typescript -p npm
 
       - name: Release
-        run: npx pkg-pr-new@0.0.20 publish './packages/*' --template './template/*' --compact --comment=off
+        run: yarn pkg-pr-new publish './packages/*' --template './template/*' --compact --comment=off

.github/workflows/lighthouse-report.yml

@@ -30,7 +30,7 @@ jobs:
           cache: yarn
 
       - name: Install dependencies
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
 
       - name: Build website fast
         run: yarn build:website:fast

.github/workflows/lint-autofix.yml

@@ -25,7 +25,7 @@ jobs:
           ref: ${{ github.head_ref }}
 
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
 
       - name: AutoFix Format
         run: yarn format

.github/workflows/lint.yml

@@ -31,10 +31,6 @@ jobs:
       - name: Check immutable yarn.lock
         run: git diff --exit-code
 
-      - name: Check for suspicious yarn.lock
-        # for allowed aliases, see https://github.com/yargs/cliui/pull/139/files#r1670711112
-        run: yarn lockfile-lint --path yarn.lock --type yarn --allowed-hosts yarn --validate-https --validate-package-names --validate-integrity --empty-hostname=false --allowed-package-name-aliases react-loadable react-helmet-async string-width-cjs strip-ansi-cjs wrap-ansi-cjs
-
       - name: Lint
         run: |
           echo "::add-matcher::.github/workflows/cspell-problem-matcher.json"

.github/workflows/publish.yml

@@ -56,7 +56,7 @@ jobs:
           git config --global user.name "Docusaurus"
           git config --global user.email "github@docusaurus.io"
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
         # TODO Docusaurus v4: remove after we upgrade the Node version
       - name: Upgrade Lerna
         run: |

.github/workflows/security-supply-chain.yml

@@ -0,0 +1,87 @@
+name: Security
+
+on:
+  schedule:
+    - cron: '0 3 * * *' # every day at 03:00 UTC
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - docusaurus-v**
+  pull_request:
+    branches:
+      - main
+      - docusaurus-v**
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  supply-chain-checks:
+    name: Supply Chain Checks
+    timeout-minutes: 30
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Use Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: lts/*
+          # No cache on purpose! We want SFW to fetch packages
+
+      # See https://socket.dev/blog/introducing-socket-firewall
+      - name: Install Socket Firewall Free
+        run: npm install -g sfw@2.0.4
+
+      # Ensure our monorepo gets scanned by SFW
+      - name: Install monorepo dependencies with SFW
+        run: sfw yarn install --frozen-lockfile
+
+      # Check for malicious lockfile injections
+      # See https://github.com/lirantal/npm-security-best-practices#4-prevent-npm-lockfile-injection
+      - name: Check for suspicious yarn.lock
+        # for allowed aliases, see https://github.com/yargs/cliui/pull/139/files#r1670711112
+        run: yarn lockfile-lint --path yarn.lock --type yarn --allowed-hosts yarn --validate-https --validate-package-names --validate-integrity --empty-hostname=false --allowed-package-name-aliases react-loadable react-helmet-async string-width-cjs strip-ansi-cjs wrap-ansi-cjs
+
+      # Generate init template
+      - name: Generate test-website project against main branch
+        run: yarn create-docusaurus ../test-website classic --javascript --skip-install
+
+      # Ensure our init template gets scanned by SFW
+      - name: Install test-website project with SFW
+        run: sfw yarn install --frozen-lockfile
+        working-directory: ../test-website
+
+      # Ensure no unexpected lifecycle (preintall/postinstall scripts)
+      # Only pnpm 10+ has options to fail a build on suspicious lifecycles
+      - name: Forbid lifecycle scripts
+        working-directory: ../test-website
+        run: |
+          rm -rf node_modules
+
+          npm install -g pnpm@10.33.0
+
+          cat > pnpm-workspace.yaml <<'YAML'
+
+          blockExoticSubdeps: true
+
+          strictDepBuilds: true
+          allowBuilds:
+            '@swc/core': true
+            core-js-pure: true
+            core-js: true
+
+          trustPolicy: no-downgrade
+          trustPolicyExclude:
+            - 'detect-port@1.6.1'
+            - 'semver@6.3.1'
+
+          YAML
+
+          pnpm install

.github/workflows/showcase-test.yml

@@ -29,6 +29,6 @@ jobs:
           node-version: lts/*
           cache: yarn
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
       - name: Test
         run: yarn test website/src/data/__tests__/user.test.ts

.github/workflows/tests-e2e.yml

@@ -50,11 +50,11 @@ jobs:
           node-version: ${{ matrix.node }}
           cache: yarn
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
       - name: Generate test-website project against main branch
         run: yarn test:build:website -s
       - name: Install test-website project with Yarn v1
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
         working-directory: ../test-website
         env:
           npm_config_registry: http://localhost:4873
@@ -87,13 +87,13 @@ jobs:
           node-version: lts/*
           cache: yarn
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
       - name: Generate test-website project against main branch
         # Not using test-release.sh => no verdaccio docker image on Windows
         # run: bash ./admin/scripts/test-release.sh -s
         run: yarn create-docusaurus test-website-in-workspace classic --typescript
       - name: Install test-website project with Yarn v1
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
         working-directory: test-website-in-workspace
       - name: Start test-website project
         run: yarn start --no-open
@@ -133,7 +133,7 @@ jobs:
           node-version: lts/*
           cache: yarn
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
       - name: Generate test-website project with ${{ matrix.variant }} against main branch
         run: yarn test:build:website ${{ matrix.variant }}
       - name: Install test-website project with Yarn Berry and nodeLinker = ${{ matrix.nodeLinker }}
@@ -212,7 +212,7 @@ jobs:
           node-version: lts/*
           cache: yarn
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
       - name: Generate test-website project against main branch
         run: yarn test:build:website -st
       - name: Install test-website project with npm
@@ -252,7 +252,7 @@ jobs:
           node-version: lts/*
           cache: yarn
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
       - name: Generate test-website project against main branch
         run: yarn test:build:website -st
       - name: Install test-website project with pnpm

.github/workflows/tests-swizzle.yml

@@ -33,7 +33,7 @@ jobs:
           node-version: lts/*
           cache: yarn
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
 
       # Swizzle all the theme components
       - name: Swizzle (${{matrix.action}} - ${{matrix.variant}})

.github/workflows/tests-windows.yml

@@ -40,7 +40,7 @@ jobs:
           node-version: ${{ matrix.node }}
           cache: yarn
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
       - name: Docusaurus Jest Tests
         run: yarn test
       - name: Create a deep path

.github/workflows/tests.yml

@@ -38,7 +38,7 @@ jobs:
           node-version: ${{ matrix.node }}
           cache: yarn
       - name: Installation
-        run: yarn || yarn || yarn
+        run: yarn install --frozen-lockfile || yarn install --frozen-lockfile || yarn install --frozen-lockfile
       - name: Test
         run: yarn test
       - name: Remove Theme Internal Re-export

package.json

@@ -83,7 +83,7 @@
     "@testing-library/dom": "^10.4.1",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.2",
-    "@types/fs-extra": "^9.0.13",
+    "@types/fs-extra": "^11.0.4",
     "@types/jest": "^30.0.0",
     "@types/lodash": "^4.14.197",
     "@types/node": "^20.19.37",
@@ -118,6 +118,7 @@
     "lockfile-lint": "^4.14.0",
     "npm-run-all": "^4.1.5",
     "patch-package": "^8.0.0",
+    "pkg-pr-new": "^0.0.66",
     "postinstall-postinstall": "^2.1.0",
     "prettier": "^2.8.8",
     "react": "^19.2.4",