forked from microsoft/FluidFramework
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpnpm-workspace.yaml
More file actions
143 lines (117 loc) · 5.65 KB
/
Copy pathpnpm-workspace.yaml
File metadata and controls
143 lines (117 loc) · 5.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# This is the workspace definition for the gitrest release group. See https://pnpm.io/pnpm-workspace_yaml for more
# information about the format.
#
# Guidelines for updating this file:
#
# 1. Keep the entries alphabetical wherever possible.
# 2. DO NOT end a glob with "**". E.g. "packages/**". Doing so can include unexpected packages. This is especially true
# of packages for which we build ESM and CJS. Such packages sometimes have package.json files in their source or
# output directories during compilation.
packages:
- "packages/*"
# Supply chain security settings - see /DEV.md for documentation
minimumReleaseAge: 1440
minimumReleaseAgeExclude:
- "@fluidframework/*" # Exclude all @fluidframework scoped packages from the minimumReleaseAge check, because they are published internally and oftentimes we need to update immediately after a previous internal release
resolutionMode: highest
blockExoticSubdeps: true
trustPolicy: no-downgrade
# List of packages known to be safe but for whatever reason were published at a date after another version of the same
# package (including later major versions) which had better provenance information.
# ALWAYS REVIEW CAREFULLY BEFORE ADDING SOMETHING TO THIS LIST.
trustPolicyExclude:
# @octokit/endpoint@9.0.6 (published 2025-02-14, by octokitbot) — pipeline regression.
# Prior trusted: @octokit/endpoint@10.1.3 (provenance, 2025-02-13, by octokitbot), with
# verified provenance from octokit/endpoint.js .github/workflows/release.yml @ refs/heads/main.
# Same publisher account (octokitbot); the v9 maintenance branch publish bypassed release.yml.
# Pulled in transitively via danger@13 → @octokit/rest@20 → @octokit/core@5 → @octokit/request@8.
# No reachable direct-dep bump escapes this without overriding @octokit/rest itself.
- "@octokit/endpoint@9.0.6"
# semver@5.7.2 (published 2023-07-10, by lukekarrys) — legacy maintenance line.
# Prior trusted: semver@7.5.4 (provenance, 2023-07-07, by npm-cli-ops).
# Different publisher account because the 5.x and 6.x maintenance lines are
# hand-published by lukekarrys (a long-time npm/node-semver maintainer), while the
# current 7.x line publishes through the npm-cli OIDC/Actions pipeline. The 5.x/6.x
# lines will not be retroactively re-published with provenance. Pulled in by widely-
# used legacy tooling that pins ^5 / ^6.
# Note: multiple versions of the same package must be combined with "||" — pnpm's
# trust-policy evaluator returns on the first name match and does not aggregate
# subsequent entries for the same package.
- "semver@5.7.2||6.3.1"
# undici-types@6.21.0 (published 2024-11-13, by matteo.collina) — pipeline regression.
# Prior trusted: undici-types@6.19.2 (provenance, 2024-06-18, by matteo.collina).
# Same publisher (undici project lead). Type-only package (.d.ts shipped from undici
# repo); provenance attestation was lost on a subsequent 6.x release.
- "undici-types@6.21.0"
strictDepBuilds: true
engineStrict: true
frozenLockfile: true
linkWorkspacePackages: true
strictPeerDependencies: true
updateNotifier: false
# pnpm 11 enabled this check by default, which runs a frozen-lockfile install before every `pnpm run <script>`.
# That breaks CI flows that modifies versions via `flub bump` then runs script like `pnpm run format`.
# We may want to enable this in the future, but doing so requires changes to the pipelines, so we restore the pnpm 10 defaults for now.
verifyDepsBeforeRun: false
# Use the number of cores on the machine by default.
workspaceConcurrency: 0
overrides:
# Resolve known security vulnerabilities in transitive dependencies.
brace-expansion@>=1 <2: ^1.1.13
brace-expansion@>=2 <3: ^2.0.3
brace-expansion@>=5 <6: ^5.0.6
keyv@>=4 <5: ^5.5.3
on-headers@>=1 <2: ^1.1.0
ts-deepmerge@>=7 <8: ^8.0.0
uuid@>=7 <12: ^11.1.1
# Resolve a known security vulnerability.
ws@>=8 <9: ^8.21.0
# Resolve a known security vulnerability.
fast-uri: ^3.1.2
# Resolve a known security vulnerability (no patched 0.0.x/0.1.x release; move to the 0.2.x line).
tmp: ^0.2.6
# Resolve a known security vulnerability.
form-data@>=4 <5: ^4.0.6
# Resolve known ReDoS vulnerabilities in diff. diff@7.x has no fix so it is bumped to 8.0.3.
diff@>=5 <6: ^5.2.2
diff@>=7 <8: ^8.0.3
diff@>=8 <9: ^8.0.3
# Keep a single @types/node version.
"@types/node": ~22.19.17
# Force ESLint 9.x for flat config support across all packages.
eslint: ~9.39.2
jws: ^3.2.3
nanoid: ^3.3.9
# oclif includes AWS features we do not use; drop to reduce lockfile churn.
oclif>@aws-sdk/client-cloudfront: "-"
oclif>@aws-sdk/client-s3: "-"
# Resolve known js-yaml vulnerability (prototype pollution via merge keys).
js-yaml@<4: ^3.14.2
js-yaml@>=4: ^4.1.1
# Resolve known vulnerabilities in older versions.
qs: ^6.15.2
# Resolve a known security vulnerability.
simple-git: ^3.36.0
# sharp <0.32.6 has a vulnerability flagged by Component Governance (GHSA-54xq-cgqr-rpm3),
# pulled in transitively via jssm-viz-cli.
sharp: ^0.33.2
# Resolve multiple tar vulnerabilities; 6.x line is EOL with no backports.
tar: ^7.5.11
# Resolve known security vulnerabilities across all major version ranges.
minimatch@>=3 <4: ^3.1.5
minimatch@>=5 <6: ^5.1.9
minimatch@>=6 <7: ^6.2.3
minimatch@>=7 <8: ^7.4.9
minimatch@>=8 <9: ^8.0.7
minimatch@>=9 <10: ^9.0.9
minimatch@>=10 <11: ^10.2.4
# Resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists.
serialize-javascript@>=6 <7: ^7.0.4
# Resolve a known vulnerability in express 4.21.2.
express@>=4 <5: ^4.22.1
# Resolve known vulnerabilities in picomatch.
picomatch@>=2 <3: ^2.3.2
picomatch@>=4 <5: ^4.0.4
allowBuilds:
core-js: true
unrs-resolver: true