-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathpnpm-workspace.yaml
More file actions
107 lines (98 loc) · 4.29 KB
/
pnpm-workspace.yaml
File metadata and controls
107 lines (98 loc) · 4.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# Single-package repo. pnpm-workspace.yaml is here so pnpm 11+
# settings (catalog, soak window, pnpm options) live in the same
# canonical location as the rest of the fleet.
# Register .claude/hooks/* as workspace packages so taze (run via
# `pnpm run update`) sees and bumps their package.json manifests
# alongside the root. Keeps hook deps in lockstep with the parent.
# vendor/acorn-wasm + vendor/json-wasm + vendor/toml-wasm are
# registered too so the bundle imports them as packages by name
# rather than via brittle relative `.mts` paths that tsc/tsgo refuse
# without allowImportingTsExtensions.
packages:
- .claude/hooks/*
- vendor/acorn-wasm
- vendor/json-wasm
- vendor/toml-wasm
# Catalog entries shared across hook workspaces. Pinning them here
# keeps the entire hook tree in lockstep with the parent without each
# hook duplicating literal pins.
catalog:
'@sinclair/typebox': 0.34.49
'@socketregistry/packageurl-js': 1.4.2
'@socketregistry/packageurl-js-stable': npm:@socketregistry/packageurl-js@1.4.2
'@socketsecurity/lib': 5.28.0
'@socketsecurity/lib-stable': npm:@socketsecurity/lib@5.28.0
'@socketsecurity/registry': 2.0.2
'@socketsecurity/sdk': 4.0.1
'@socketsecurity/sdk-stable': npm:@socketsecurity/sdk@4.0.1
'@types/mdast': 4.0.4
'@types/node': 24.9.2
'@typescript/native-preview': 7.0.0-dev.20260415.1
'ecc-agentshield': 1.4.0
'mdast-util-from-markdown': 2.0.3
'micromark': 4.0.2
'oxfmt': 0.37.0
'oxlint': 1.52.0
autoInstallPeers: true
resolutionMode: highest
saveExact: true
# Refuse downgrades during install (defense against lockfile downgrade
# attacks).
trustPolicy: no-downgrade
# Trust-policy exclusions: ancient transitive deps that predate npm
# provenance attestation. The `no-downgrade` policy reads
# absence-of-attestation as a regression vs a previously-attested
# version. parse-semver@1.1.1 has been the latest version since 2017
# (the project is dead — there is no newer release to raise to via
# `overrides`), so we accept it explicitly. Drop this entry if vsce
# ever migrates off parse-semver.
trustPolicyExclude:
- 'parse-semver@1.1.1'
- 'compromise@14.15.0'
# Force-raise transitive deps that vsce's tree pins to ancient
# unattested versions. Where a newer attested version exists with a
# compatible API surface, override here instead of granting a trust-
# policy exception. Semver v5 predates npm provenance entirely; v7's
# `parse()`/`coerce()`/`gt()`/`lt()` API surface is what parse-semver
# uses and is unchanged across major versions.
# fast-uri@3.1.2 patches CVEs for path traversal via percent-encoded
# dot segments and host confusion via percent-encoded authority
# delimiters; transitive via ajv/secretlint which haven't bumped.
overrides:
fast-uri: 3.1.2
semver: 7.7.4
# Refuse transitive git/tarball subdeps. Direct git deps are still
# allowed; this only blocks transitive ones (a malicious sub-dep
# can't sneak a git ref past the registry firewall).
blockExoticSubdeps: true
# Soak window: don't install packages younger than 7 days unless they
# match the exclude list. Defends against fresh-malicious-publish
# supply-chain attacks (a published package gets a 7-day quarantine
# during which only existing-cached versions install).
minimumReleaseAge: 10080
minimumReleaseAgeExclude:
- '@socketaddon/*'
- '@socketbin/*'
- '@socketregistry/*'
- '@socketsecurity/*'
# @typescript-eslint v5 metadata is missing the `time` field upstream
# which makes pnpm refuse to evaluate the soak window. v5 is EOL but
# this repo still pins it; drop these exclusions when migrating to
# @typescript-eslint v9+.
- '@typescript-eslint/*'
# Security patch for CVE path traversal + host confusion. Override
# forced via `overrides`; bypass soak window since this is a
# documented security fix.
- 'fast-uri@3.1.2'
# Network-mocking lib used in fleet test suites. v15 betas pre-date
# npm's `time` field for the major; allow pinned beta until v15 GA.
- 'nock@15.0.0-beta.11'
# Postinstall script approvals. pnpm 11 blocks postinstall by default;
# these three packages legitimately need theirs:
# - @vscode/vsce-sign: downloads platform-specific signing binary
# - esbuild: downloads platform-specific bundler binary
# - keytar: native node-gyp build for OS keychain bindings
allowBuilds:
'@vscode/vsce-sign': true
esbuild: true
keytar: true