-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathpnpm-workspace.yaml
More file actions
66 lines (59 loc) · 3.57 KB
/
Copy pathpnpm-workspace.yaml
File metadata and controls
66 lines (59 loc) · 3.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
packages:
- apps/*
# Don't prompt before wiping node_modules when pnpm decides it's stale;
# our checker runs pnpm non-interactively and there's no human to answer.
confirmModulesPurge: false
# ── Supply-chain defences (pnpm 11+) ────────────────────────────────────────
# Project-side belt-and-suspenders so anyone cloning Cmdr gets the same
# install-side guarantees even without the matching keys in their `~/.npmrc`.
# Read alongside `.claude/rules/use-latest-dep-versions.md` — Renovate already
# enforces a 14-day cooldown at PR-open time; this is the install-side
# guardrail for anything that bypasses Renovate (manual `pnpm add`, a fresh
# clone, a contributor without our Renovate config).
# Block installs of versions published less than 14 days ago. pnpm 11 ships
# with a 1440 min (1 day) default; we tighten it. Value is minutes. Use
# `minimumReleaseAgeExclude` to bypass per-package for hot-fix CVE patches.
minimumReleaseAge: 20160
# Refuse to install a package whose trust level has dropped since the last
# successful resolve (publisher loses verified status, package transferred to
# an unknown owner). Default is `off`. The win is mitigation against the
# publisher-takeover class; the cost is a manual approval whenever a `pnpm add`
# or update re-resolves the tree and hits a transitive dep that lost provenance.
#
# How to approve a downgrade you've vetted (this WILL fire on `pnpm add` — e.g.
# we've hit chokidar@4.0.3 and semver@5.7.2, both mainstream deps whose old
# versions simply predate npm's provenance rollout, not takeovers):
# 1. Vet it. Open the package on npmjs.com; confirm same maintainer + repo and
# that the flagged version merely lacks a provenance attestation (uneven
# rollout), rather than a real ownership transfer.
# 2. One-off, for a single `pnpm add`: re-run with `--trust-policy-exclude <pkg>`
# (repeatable, scoped to that command, nothing persists), e.g.
# pnpm add -D <new-dep> --trust-policy-exclude chokidar --trust-policy-exclude semver
# 3. Persistent, for a transitive dep that trips on EVERY add: add a selector
# to `trustPolicyExclude` (e.g. `chokidar@4.0.3`), or set
# `trustPolicyIgnoreAfter: <minutes>` to auto-trust downgrades on versions
# published longer ago than that (still flags fresh-takeover downgrades).
# We set neither today — approvals stay explicit per-add on purpose.
trustPolicy: no-downgrade
# Explicit even though pnpm 11 defaults to true: only direct dependencies may
# use exotic sources (git repos, tarball URLs). The `@srsholmes/tauri-playwright`
# entry in `overrides` below is a top-level direct dep, which is allowed.
# A compromised tree can't pull anything unaudited via a nested git+https://…
blockExoticSubdeps: true
# Pin transitive deps to fix CVEs in older indirect ranges.
# TEMPORARY override: @srsholmes/tauri-playwright is pinned to the vdavid/multi-window
# preview release while upstream PR https://github.com/srsholmes/tauri-playwright/pull/6
# is in review. Drop this entry and bump the @cmdr/desktop dep to ^0.3.0 once upstream
# publishes 0.3.0 to npm.
overrides:
serialize-javascript: '>=7.0.3'
lodash: '>=4.17.23'
cookie: '>=0.7.0'
tmp: '>=0.2.4'
'@srsholmes/tauri-playwright': 'https://github.com/vdavid/tauri-playwright/releases/download/v0.3.0-pre.1/srsholmes-tauri-playwright-0.3.0.tgz'
# pnpm 11 requires explicit per-package build-script approval. The legacy
# `pnpm.onlyBuiltDependencies` field in package.json is ignored.
allowBuilds:
esbuild: false
sharp: true
workerd: true