Skip to content

Commit a4f907c

Browse files
committed
docs: add note about integrity check behavior with trustLockfile
1 parent f664741 commit a4f907c

1 file changed

Lines changed: 5 additions & 0 deletions

File tree

pnpm-workspace.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,11 @@ catalog:
3131
# Trust the lockfile so that already-resolved entries skip the minimumReleaseAge /
3232
# trustPolicy verification pass. This prevents unrelated packages from failing
3333
# trust checks when updating a specific dependency.
34+
#
35+
# Note: Since pnpm@11.4, tarball integrity mismatches are always a hard error
36+
# regardless of this setting — a compromised or re-published tarball will still be
37+
# caught at download time even with trustLockfile enabled. The only check skipped
38+
# here is the time-based minimumReleaseAge / trustPolicy verification.
3439
trustLockfile: true
3540

3641
# Require packages to be published for at least 3 days before allowing install (default: 1 day)

0 commit comments

Comments
 (0)