-
-
Notifications
You must be signed in to change notification settings - Fork 485
Expand file tree
/
Copy pathpnpm-workspace.yaml
More file actions
39 lines (37 loc) · 1.58 KB
/
Copy pathpnpm-workspace.yaml
File metadata and controls
39 lines (37 loc) · 1.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
packages:
- packages/*
- docs
- test
- test/*
- scripts/*
- playground/*
allowBuilds:
esbuild: true
nx: true
sharp: true
unrs-resolver: true
engineStrict: true
updateNotifier: false
blockExoticSubdeps: true
minimumReleaseAge: 4320
minimumReleaseAgeExclude:
- '@base-ui/*'
- '@mui/internal-*'
trustPolicy: no-downgrade
# Skip trust-policy checks for packages published more than 365 days ago.
# Some widely-used legacy packages (notably semver@6.x — pulled in by @babel/core@7.x — plus
# reselect@5.1.1 and parts of @octokit/*) dropped provenance attestation for specific releases,
# triggering false-positive trust-downgrade errors. Packages that old have had ample time for
# community review; supply-chain risk is most relevant within a shorter window.
# TODO: drop once @babel/core stops depending on semver@^6.3.1 (no 6.x semver release has
# provenance), and the other legacy packages restore provenance.
trustPolicyIgnoreAfter: 525600
# nanoid@3.3.14 (a transitive dep of postcss@8.5.15) shipped without trust evidence after an
# earlier release published via staged publish, so pnpm rejects it as a trust downgrade. The
# default jobs install from the frozen lockfile (pinned to nanoid@3.3.12) and are unaffected,
# but the React 18 jobs re-resolve the tree without a frozen lockfile and pull this version.
# The independent minimumReleaseAge gate still applies to it. nanoid restored provenance in
# 3.3.15, so once that ages in the resolver moves past 3.3.14 and this exclude becomes inert.
# TODO: drop once the resolved nanoid is >= 3.3.15.
trustPolicyExclude:
- 'nanoid@3.3.14'