chore: Harden pnpm-workspace settings

dominic-clerk · dominic-clerk · commit 0ea69ac29fc1 · 2026-04-02T10:07:09.000+01:00
`blockExoticSubdeps`:  transitive dependencies must be resolved from
a trusted source, such as the configured registry, local file paths,
workspace links, or trusted GitHub repositories (node, bun, deno).

`trustPolicy`: pnpm will fail if a package's trust level has decreased
compared to previous releases. For example, if a package was previously
published by a trusted publisher but now only has provenance or no
trust evidence, installation will fail. This helps prevent installing
potentially compromised versions.
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -31,8 +31,11 @@ catalogs:
     '@zxcvbn-ts/language-common': 3.0.4
 
 minimumReleaseAge: 2880
-
 minimumReleaseAgeExclude:
   - '@clerk/*'
   - 'pkglab'
   - 'pkglab-*'
+
+trustPolicy: no-downgrade
+
+blockExoticSubdeps: true
