-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpnpm-workspace.yaml
More file actions
87 lines (83 loc) · 4.22 KB
/
Copy pathpnpm-workspace.yaml
File metadata and controls
87 lines (83 loc) · 4.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
packages:
- "packages/*"
# In pnpm v11, overrides must live here (not in package.json's pnpm.overrides).
overrides:
fast-xml-parser@<5.7.0: "5.7.1"
js-yaml@<4.2.0: "4.2.0"
uuid@<14.0.0: "14.0.0"
ajv@<8.18.0: "8.18.0"
brace-expansion@<1.1.13: "1.1.13"
brace-expansion@>=2.0.0 <2.0.2: "2.0.2"
lodash@<4.18.0: "4.18.0"
minimatch@<3.1.4: "3.1.4"
minimatch@>=9.0.0 <9.0.7: "9.0.7"
picomatch@<2.3.2: "2.3.2"
qs@<6.15.2: "6.15.2"
tmp@<0.2.6: "0.2.6"
dompurify@<3.4.11: "3.4.11"
hono@<4.12.25: "4.12.25"
ip-address@<10.1.1: "10.1.1"
fast-uri@<3.1.2: "3.1.2"
fast-xml-builder@<1.1.7: "1.1.7"
mermaid@<11.15.0: "11.15.0"
# devalue 5.6.3..5.8.0 is vulnerable to GHSA-77vg-94rm-hx3p (HIGH, DoS via
# sparse-array deserialization). Comes in transitively through astro@6.3.3
# (used only by @opencodehub/docs, a private workspace package). Pinned to
# 5.8.1 until astro releases a version that constrains devalue itself.
devalue@<5.8.1: "5.8.1"
# esbuild 0.27.3..0.28.0 is vulnerable to GHSA-g7r4-m6w7-qqqr (LOW, dev-server
# path traversal via `\` on Windows). Comes in via astro (which pins
# esbuild@^0.27.3 and never widens it, so Dependabot's security update fails
# with security_update_not_possible) and via tsx@4.x (esbuild@0.28.0). Pinned
# to 0.28.1 — the first patched release — until astro widens its own range.
esbuild@>=0.27.3 <0.28.1: "0.28.1"
# undici < 6.27.0 carries 4 advisories (GHSA-vxpw-j846-p89q HIGH, plus one
# MEDIUM and two LOW). Comes in dev-only and deeply transitively via
# node-gyp -> @npmcli/run-script -> ... -> license-checker-rseidelsohn.
# 6.27.0 is the first patched release on the 6.x line. Floored here so the
# OSV lockfile scan stays clean without forcing the undici 8.x major.
undici@<6.27.0: "6.27.0"
# packageExtensions patch third-party manifests that under-declare their deps.
packageExtensions:
# snyk-nodejs-lockfile-parser@2.8.0 requires('debug') in its lockfile parsers
# (dist/parsers/lock-parser-base.js) but does not declare it — it relied on
# `debug` being flat-hoisted by npm. Under pnpm's strict symlinked layout
# that resolution fails, so `codehub analyze` crashes with
# "Cannot find module 'debug'" when the CLI is installed via `pnpm add -g`.
# Inject the missing dep so pnpm places `debug` in snyk's resolution scope.
# (`npm install -g` is unaffected — it flat-hoists `debug` regardless.)
snyk-nodejs-lockfile-parser:
dependencies:
debug: "4.4.3"
# Project-level settings. In pnpm v11, only auth+registry settings are read
# from .npmrc; non-auth settings belong here or in ~/.config/pnpm/config.yaml.
# User-specific settings (store-dir, package-import-method) stay in
# ~/.config/pnpm/config.yaml.
autoInstallPeers: true
resolutionMode: time-based
engineStrict: true
# Opt out of v11's new 1440-minute (24h) minimum release age gate; this would
# block resolving any package published within the last day — fine for security
# hardening but too conservative for a dev monorepo. Set back to 0 to preserve
# v10 behavior.
minimumReleaseAge: 0
# Allow list for packages that may run install/postinstall scripts.
# In pnpm v11, onlyBuiltDependencies was replaced by allowBuilds (map form).
# Packages not listed here are blocked from running scripts by default
# (strictDepBuilds: true is the v11 default).
allowBuilds:
# Toolchain native addons (dev-time only — not shipped in the CLI bundle).
esbuild: true
lefthook: true
sharp: true
# protobufjs is a transitive dep of onnxruntime-web. Its install script only
# regenerates a bundled .js descriptor that already ships in the tarball, so
# it is NOT needed — keeping it off preserves the zero-native-build install.
protobufjs: false
# No storage native bindings: @ladybugdb/core and @duckdb/node-api were removed
# in the single-file SQLite migration (ADR 0019). onnxruntime-node was replaced
# by onnxruntime-web (prebuilt WASM, no build script). The embedder is now the
# ONLY optional native-free runtime, and it builds nothing at install.
# No tree-sitter entries: native tree-sitter and grammar packages are not
# workspace dependencies. WASMs are vendored at packages/ingestion/vendor/wasms/.
# Re-vendor on demand via the workflow in scripts/build-vendor-wasms.sh.