Security: pnpm install-side guardrails (14-day cooldown, trust no-downgrade)

vdavid · vdavid · commit d568789fdb1d · 2026-05-23T20:09:39.000+02:00
`minimumReleaseAge: 20160` — block versions younger than 14 days. pnpm 11 ships a 1440 min (1 day) default; tighten to match the project rule in `.claude/rules/use-latest-dep-versions.md`. Renovate already enforces the same 14-day cooldown at PR-open time; this is the install-side guardrail for paths that bypass Renovate (manual `pnpm add`, a fresh clone, a contributor without our Renovate config). `minimumReleaseAgeExclude` remains the per-package opt-out for hot-fix CVE patches. `trustPolicy: no-downgrade` — refuse to install a package whose trust level has dropped since the last successful resolve (publisher loses verified status, package transferred to an unknown owner). Default `off`. Cost: occasional manual approval. Win: mitigation against the publisher-takeover class of attacks. `blockExoticSubdeps: true` — explicit even though pnpm 11 defaults to true. Only direct dependencies may use exotic sources (git repos, tarball URLs). The `@srsholmes/tauri-playwright` entry in `overrides` is a direct dep, allowed. A compromised transitive tree can't pull anything unaudited via a nested `git+https://…` URL. Refs: - https://pnpm.io/supply-chain-security - https://pnpm.io/settings
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -5,6 +5,31 @@ packages:
 # our checker runs pnpm non-interactively and there's no human to answer.
 confirmModulesPurge: false
 
+# ── Supply-chain defences (pnpm 11+) ────────────────────────────────────────
+# Project-side belt-and-suspenders so anyone cloning Cmdr gets the same
+# install-side guarantees even without the matching keys in their `~/.npmrc`.
+# Read alongside `.claude/rules/use-latest-dep-versions.md` — Renovate already
+# enforces a 14-day cooldown at PR-open time; this is the install-side
+# guardrail for anything that bypasses Renovate (manual `pnpm add`, a fresh
+# clone, a contributor without our Renovate config).
+
+# Block installs of versions published less than 14 days ago. pnpm 11 ships
+# with a 1440 min (1 day) default; we tighten it. Value is minutes. Use
+# `minimumReleaseAgeExclude` to bypass per-package for hot-fix CVE patches.
+minimumReleaseAge: 20160
+
+# Refuse to install a package whose trust level has dropped since the last
+# successful resolve (publisher loses verified status, package transferred to
+# an unknown owner). Default is `off`. The cost is an occasional manual
+# approval; the win is mitigation against the publisher-takeover class.
+trustPolicy: no-downgrade
+
+# Explicit even though pnpm 11 defaults to true: only direct dependencies may
+# use exotic sources (git repos, tarball URLs). The `@srsholmes/tauri-playwright`
+# entry in `overrides` below is a top-level direct dep, which is allowed.
+# A compromised tree can't pull anything unaudited via a nested git+https://…
+blockExoticSubdeps: true
+
 # Pin transitive deps to fix CVEs in older indirect ranges.
 # TEMPORARY override: @srsholmes/tauri-playwright is pinned to the vdavid/multi-window
 # preview release while upstream PR https://github.com/srsholmes/tauri-playwright/pull/6
