forked from package-url/packageurl-js
-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathpnpm-workspace.yaml
More file actions
65 lines (55 loc) · 2.54 KB
/
pnpm-workspace.yaml
File metadata and controls
65 lines (55 loc) · 2.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
resolutionMode: highest
trustPolicy: no-downgrade
# Catalog: shared dependency versions referenced as "catalog:" in
# package.json. Currently only @socketsecurity/lib needs a catalog
# entry — the .claude/hooks/check-new-deps hook references it via
# "catalog:" so its manifest stays in lockstep with the root.
catalog:
'@socketsecurity/lib': 5.26.1
'@types/node': 24.9.2
# Register .claude/hooks/* as workspace packages so taze (run via
# `pnpm run update`) sees and bumps their package.json manifests
# alongside the root. Keeps hook deps in lockstep with the main tree.
packages:
- .claude/hooks/*
allowBuilds:
esbuild: true
# puppeteer ships a postinstall that downloads Chromium (~300MB).
# Required because `pnpm tour:build` (the GH Pages workflow) renders
# mermaid diagrams via puppeteer/Chromium. Disabling it would break
# the Tour pipeline. CI + Val Town pay the download cost as the
# uniform-install tradeoff for keeping all workflows symmetric.
puppeteer: true
# Refuse to run if the pnpm version on PATH differs from the packageManager
# field in package.json. Our setup action pins pnpm via external-tools.json;
# any drift should fail fast, not silently auto-download via @pnpm/exe
# (which in rc.5 leaves a placeholder launcher that errors at runtime).
pmOnFail: error
overrides:
vite: 7.3.2
# Wait 7 days (10080 minutes) before installing newly published packages.
minimumReleaseAge: 10080
minimumReleaseAgeExclude:
- '@anthropic-ai/claude-code@2.1.92'
- '@socketaddon/*'
- '@socketbin/*'
- '@socketregistry/*'
- '@socketsecurity/*'
# Refuse transitive dependencies declared via git/tarball/local-tarball
# specs — an npm package shouldn't be allowed to drag in a git URL we
# don't control (bypasses npm registry validation, no provenance, no
# soak window). Direct git deps are still allowed (the test suite at
# pnpm/pkg-manager/core/test/install/blockExoticSubdeps.ts confirms
# this). pnpm's current default is `false`; declared explicitly so a
# future flip can't silently change install behavior.
blockExoticSubdeps: true
# Auto-install missing peer deps (pnpm default). Declared explicitly
# so a future default flip can't silently change install behavior.
autoInstallPeers: true
# Run pre/post lifecycle scripts on the workspace root (e.g.
# prepare -> husky). This is the pnpm default; declared explicitly
# so a future default flip can't silently disable husky setup.
enablePrePostScripts: true
# Pin exact versions on `pnpm add`. Catalog and overrides should
# also be exact pins (5.24.0, not ^5.24.0).
saveExact: true