packages:

- "packages/*"

# Supply-chain hardening — see https://pnpm.io/supply-chain-security

#

# minimumReleaseAge: delay installing newly-published versions of any

# dependency by 2 days (2880 minutes). pnpm 11 ships a 1-day default;

# we tighten it slightly. Catches malicious releases that get yanked

# from the registry within hours of publish without blocking ordinary

# upstream releases for a full week.

#

# blockExoticSubdeps: refuse transitive deps pulled from git URLs, raw

# tarballs, or other non-registry sources. Direct deps can still opt in

# explicitly; subdeps cannot smuggle one in. Default in pnpm 11 — pinned

# here to lock the behavior in case of future default changes.

#

# trustPolicy: fail the install if a package's trust level has dropped

# (e.g. previously signed releases now arriving without provenance).

# Defends against publisher takeover via leaked credentials.

#

# dangerouslyAllowAllBuilds: explicitly pinned to false. install scripts

# only run for packages approved via `pnpm approve-builds` — silently

# flipping this on would auto-run every dependency's postinstall.

minimumReleaseAge: 2880

blockExoticSubdeps: true

trustPolicy: no-downgrade

dangerouslyAllowAllBuilds: false

# allowBuilds: per-package decision on whether install scripts run.

# dangerouslyAllowAllBuilds is off, so anything not explicitly listed

# here is silently skipped — and pnpm 11 fails the install if a needed

# build is skipped. Audit each package's install script before adding.

#

# esbuild — downloads the platform-native binary on install

# msw — copies the service-worker shim into the workspace

allowBuilds:

esbuild: true

msw: true