-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpnpm-workspace.yaml
More file actions
73 lines (70 loc) · 2.78 KB
/
Copy pathpnpm-workspace.yaml
File metadata and controls
73 lines (70 loc) · 2.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
packages:
- "apps/*"
- "packages/*"
- "integrations/*"
- "services/data-manager"
# Hoist packages that integration frontend files import from the web app.
# Without this, Turbopack can't resolve them when bundling files in integrations/*/.
publicHoistPattern:
- "@mui/*"
- "maplibre-gl"
- "next-intl"
- "@turf/*"
# Supply-chain hardening. Keep these explicit so pnpm upgrades or local
# defaults cannot silently relax install-time protections.
strictDepBuilds: true
dangerouslyAllowAllBuilds: false
allowBuilds:
"@parcel/watcher": true
"@swc/core": true
cpu-features: false
esbuild: true
protobufjs: false
sharp: true
ssh2: false
blockExoticSubdeps: true
minimumReleaseAge: 1440
minimumReleaseAgeStrict: true
minimumReleaseAgeIgnoreMissingTime: false
trustPolicy: no-downgrade
overrides:
"@hey-api/client-fetch": "workspace:*"
"react": "19.2.7"
"react-dom": "19.2.7"
"@tanstack/react-query": "^5.91.3"
"protobufjs": ">=7.5.5"
"uuid": ">=14.0.0"
# Pinned exact to close GHSA-fx2h-pf6j-xcff (server.fs.deny bypass) and
# GHSA-v6wh-96g9-6wx3 (launch-editor NTLMv2 hash disclosure). Must be exact,
# not a caret: raising a caret floor doesn't make pnpm re-resolve an
# already-locked transitive dep, so it kept the vulnerable 8.0.10. 8.0.16 is
# the only release in the fixed range today; bump this line for later patches.
# vite is a dev/test-only transitive dep (vitest, better-auth) here.
"vite": "8.0.16"
"vitest>vite": "8.0.16"
"@vitest/mocker>vite": "8.0.16"
"esbuild": ">=0.28.1"
"postcss": ">=8.5.10"
"next": ">=16.2.6"
"fast-uri": ">=3.1.2"
"kysely": ">=0.28.17"
"fast-xml-builder": ">=1.1.7"
# >=4.1.2 closes GHSA-h67p-54hq-rp68 (quadratic-complexity DoS via merge-key
# aliases). Pulled in transitively by @changesets/cli.
"js-yaml": "^4.1.2"
# read-yaml-file@1.1.0 (a @changesets/cli transitive) calls js-yaml's
# `safeLoad`, removed in js-yaml 4 — so the js-yaml override above crashes
# `changeset status`. 2.1.0 is the newest CJS release that uses js-yaml 4's
# `load` API (3.0.0 is ESM-only and breaks the CJS changesets requires).
"read-yaml-file": "^2.1.0"
# react-redux@9.2.0 and reselect@5.1.1 ship without provenance attestation
# even though earlier and later versions have it; pin to the latest provenance-
# signed releases so pnpm's `trustPolicy: no-downgrade` lets the install
# complete. recharts@3.8.1 (the only consumer in apps/web) accepts both ranges.
"react-redux": "9.3.0"
"reselect": "5.2.0"
# tinyexec switched from trusted-publisher to provenance-attestation at 1.2.x,
# which `trustPolicy: no-downgrade` flags as a downgrade. 1.1.2 (trusted-
# publisher) satisfies commitlint's `^1.0.0` range, so pin to it until
# tinyexec regains trusted-publisher evidence on a newer release.
"tinyexec": "1.1.2"