Fix remediation setup for pnpm and Python lockfiles

[ulziibay-kernel]

Summary

• Install pnpm in the vulnerability remediation fix job when the target repo declares pnpm or has a pnpm lockfile.
• Allow Python requirements*.lock files through remediation diff validation.
• Add a regression test for Python lockfile remediation changes.

Test plan

• python3 -m unittest scripts/test_vuln_remediation.py
• git diff --check
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/vuln-remediation.yml"); puts "yaml ok"'

Made with Cursor

---

Note

Low Risk
CI workflow and dependency-file allowlist changes only; no runtime auth or production app logic.

Overview
The vulnerability remediation fix job now installs pnpm when the target repo declares packageManager: pnpm@… or has a pnpm-lock.yaml, so Socket-driven JS fixes can run in pnpm workspaces (not only Bun when setup-bun is enabled).

Diff validation now treats Python requirements*.lock files as allowed dependency changes (alongside existing requirements*.txt), matching lockfile-based Python flows.

A unit test asserts that bumps to pyproject.toml, requirements.lock, and requirements-dev.lock pass validate_diff.

^{Reviewed by Cursor Bugbot for commit 0000bf0. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Created a monitoring plan for this PR.

What this PR does: Extends the internal vulnerability-remediation automation to support pnpm workspaces and Python requirements.lock / requirements-dev.lock lockfile formats, so Socket-generated security fixes can land cleanly in repos that use these conventions.

Intended effect:

• Vuln-remediation workflow conclusion: baseline — failures for pnpm/.lock-using repos; confirmed if workflows complete successfully with only Socket-intended file changes in affected repos.
• test_accepts_python_requirements_lockfiles CI check: new test; confirmed if it passes green on this PR.

Risks:

• pnpm version mismatch — if package.json#packageManager is absent, latest pnpm is installed; alert if any vuln-remediation PR in a pnpm repo contains lockfile changes beyond the Socket fix plan.
• pnpm step runs unconditionally — added without an inputs.setup-pnpm guard; in non-pnpm repos it prints "No pnpm workspace detected." harmlessly, but adds latency; alert if workflow run time exceeds 5 min in a repo that doesn't use pnpm.
• Overly broad .lock regex — requirements[^/]*\.lock could mis-classify non-Python lockfiles; alert if validate_diff passes ok=True for a remediation containing non-Python dependency files.

Status updates will be posted automatically on this PR as monitoring progresses.

View monitor