-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathpnpm-workspace.yaml
More file actions
66 lines (60 loc) · 2.17 KB
/
pnpm-workspace.yaml
File metadata and controls
66 lines (60 loc) · 2.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
packages:
- catalogue
- e2e
- examples/**
- packages/**
catalog:
"@tailwindcss/postcss": ^4.3.0
"@types/node": ^25.9.1
"@types/react": ^19
"@types/react-dom": ^19
"@vitejs/plugin-react": ^5.2.0
lucide-react: ^1.8.0
oxfmt: ^0.47.0
oxlint: ^1.64.0
react: ^19.2.6
react-dom: ^19.2.6
tailwindcss: ^4.2.4
tsdown: ^0.22.0
typescript: ^5
vite: ^7.3.2
vitest: ^4.1.6
# Supply-chain security settings.
# The following are enabled by default in pnpm@11 and intentionally omitted here:
# - blockExoticSubdeps: true
# - strictDepBuilds: true
# - minimumReleaseAge: 1440 (1 day)
# - verifyDepsBeforeRun: install
# Require packages to be published for at least 3 days before allowing install (default: 1 day)
minimumReleaseAge: 4320
# Deny all lifecycle scripts (postinstall, install, preinstall).
# pnpm resolves optionalDependencies correctly so these fallback scripts are unnecessary.
allowBuilds:
esbuild: false
"@swc/core": false
sharp: false
protobufjs: false
msw: false
"@tailor-platform/sdk": false
"@prisma/engines": false
# lefthook's postinstall installs git hooks; the root `prepare` script
# handles that via `lefthook install` instead.
lefthook: false
# Detect provenance or publisher trust downgrades in dependency updates
trustPolicy: no-downgrade
trustPolicyExclude:
# @swc/core lost provenance from v1.5.19 due to a publishing workflow change (npm → yarn).
# Fixed in v1.15.2+, but older versions in the range still lack provenance.
# See: https://github.com/swc-project/swc/issues/11266
- "@swc/core@1.12.11"
# semver@6.3.1 is a v6 backport published (2023/7/10) after 7.5.1+ which had provenance.
# pnpm evaluates trust by publish date (not semver), so this triggers a false downgrade.
# The semver maintainer states this is not a security concern.
# See: https://github.com/npm/node-semver/issues/838
- "semver@6.3.1"
# reselect@5.1.1 was published locally by a maintainer without provenance,
# while 5.1.0 was published via GitHub Actions with provenance. Fixed in v5.2.0.
# See: https://github.com/reduxjs/reselect/issues/752
- "reselect@5.1.1"
# Save exact versions when adding dependencies
saveExact: true