chore(pnpm): add canonical .pnpmrc

jdalton · jdalton · commit 50f9b2ffc413 · 2026-04-24T21:37:09.000-04:00
Align with the fleet-canonical .pnpmrc declared in socket-repo-template.
This is part of a cross-repo cascade driven from socket-registry's
shamefully-hoist=true removal: every socket-* repo carries the same
baseline so install behavior is uniform and future pnpm default flips
can't silently diverge across the fleet.

Settings:
- ignore-scripts=true            block install scripts unconditionally
- enable-pre-post-scripts=true   pnpm default, declared explicitly
- minimumReleaseAge=10080        7-day quarantine on newly published versions
- auto-install-peers=true        pnpm default, declared explicitly
- strict-peer-dependencies=false pnpm default, declared explicitly
- save-exact=true                pin exact on `pnpm add`

Deliberately omits shamefully-hoist and node-linker. Hoisting hides
phantom transitive-dep usage; isolated linking is the pnpm default
and the fleet-consistent choice.
diff --git a/.pnpmrc b/.pnpmrc
@@ -0,0 +1,27 @@
+# Block install scripts unconditionally. Native deps that must run
+# install scripts (esbuild, etc.) are allowlisted in
+# pnpm-workspace.yaml under allowBuilds.
+ignore-scripts=true
+
+# Run pre/post lifecycle scripts on the workspace root (e.g.
+# prepare -> husky). This is the pnpm default; declared explicitly
+# so a future default flip can't silently disable husky setup.
+enable-pre-post-scripts=true
+
+# Wait 7 days (10080 minutes) before installing newly published
+# versions. Provides a quarantine buffer to detect compromised
+# packages before install.
+# Allowlist via pnpm-workspace.yaml minimumReleaseAgeExclude.
+minimumReleaseAge=10080
+
+# Auto-install missing peer dependencies (pnpm default). Declared
+# explicitly to harden against future default flips.
+auto-install-peers=true
+
+# Don't fail install on peer-dependency conflicts (pnpm default).
+# Declared explicitly to harden against future default flips.
+strict-peer-dependencies=false
+
+# Pin exact versions on `pnpm add`. Catalog and overrides should
+# also be exact pins (5.24.0, not ^5.24.0).
+save-exact=true
