chore(repo): Harden pnpm-workspace settings (#8226)

dominic-clerk · web-flow · commit a20cf95015ba · 2026-04-07T08:45:07.000+01:00
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -31,8 +31,33 @@ catalogs:
     '@zxcvbn-ts/language-common': 3.0.4
 
 minimumReleaseAge: 2880
-
 minimumReleaseAgeExclude:
   - '@clerk/*'
   - 'pkglab'
   - 'pkglab-*'
+
+trustPolicy: no-downgrade
+trustPolicyExclude:
+  # Their 4.x package was published with provenance and this
+  # triggers the policy because it's based on publish date and
+  # not semver.
+  - 'eslint-import-resolver-typescript@3.10.1'
+  # Same idea, their 7.1.x publish process is more "trustworthy"
+  - 'vite@6.4.1'
+  # Same idea, their 1.x publish process is more "trustworthy"
+  - 'axios@0.30.2'
+  # Same idea, their 7.x publish process is more "trustworthy"
+  - 'semver@5.7.2 || 6.3.1'
+  # Same idea, their 7.x publish process is more "trustworthy"
+  - 'undici@5.29.0 || 6.22.0'
+  # Same idea, their 2.x publish process is more "trustworthy"
+  - 'ua-parser-js@1.0.41'
+  # Same idea, their 10.x publish process is more "trustworthy"
+  - '@octokit/endpoint@9.0.6'
+  # They experimented with provenance for some earlier versions
+  # and then disabled it before re-enabling it again later.
+  - 'undici-types@6.21.0'
+  # Same here
+  - 'chokidar@4.0.3'
+
+blockExoticSubdeps: true
