Skip to content

Commit f91636f

Browse files
authored
chore: add trustPolicyExclude for packages with known provenance gaps (#275)
1 parent 08ae1d1 commit f91636f

1 file changed

Lines changed: 14 additions & 0 deletions

File tree

pnpm-workspace.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,20 @@ allowBuilds:
4343

4444
# Detect provenance or publisher trust downgrades in dependency updates
4545
trustPolicy: no-downgrade
46+
trustPolicyExclude:
47+
# @swc/core lost provenance from v1.5.19 due to a publishing workflow change (npm → yarn).
48+
# Fixed in v1.15.2+, but older versions in the range still lack provenance.
49+
# See: https://github.com/swc-project/swc/issues/11266
50+
- "@swc/core@1.12.11"
51+
# semver@6.3.1 is a v6 backport published (2023/7/10) after 7.5.1+ which had provenance.
52+
# pnpm evaluates trust by publish date (not semver), so this triggers a false downgrade.
53+
# The semver maintainer states this is not a security concern.
54+
# See: https://github.com/npm/node-semver/issues/838
55+
- "semver@6.3.1"
56+
# reselect@5.1.1 was published locally by a maintainer without provenance,
57+
# while 5.1.0 was published via GitHub Actions with provenance. Fixed in v5.2.0.
58+
# See: https://github.com/reduxjs/reselect/issues/752
59+
- "reselect@5.1.1"
4660

4761
# Save exact versions when adding dependencies
4862
saveExact: true

0 commit comments

Comments
 (0)