security: stricter pnpm config blockExoticSubdeps & trustPolicy

[Sheraff]

Enables pnpm's no-downgrade trust policy and blocks exotic transitive dependencies via blockExoticSubdeps.

Summary by CodeRabbit

• Chores
  • Updated workspace configuration settings for enhanced dependency handling and version management policies.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cc462d6c-7ad4-44f2-8842-6e91987ae448

📥 Commits

Reviewing files that changed from the base of the PR and between 8c64c66 and 7617836.

📒 Files selected for processing (1)

• pnpm-workspace.yaml

---

📝 Walkthrough

Walkthrough

This PR updates the pnpm workspace configuration to add two security-focused settings: blockExoticSubdeps to block exotic subdependencies and trustPolicy set to 'no-downgrade' to prevent dependency version downgrades.

Changes

Pnpm workspace security configuration

Layer / File(s)	Summary
Pnpm security configuration additions pnpm-workspace.yaml	Adds blockExoticSubdeps: true and trustPolicy: 'no-downgrade' to enable workspace-wide dependency security enforcement.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A workspace now stands guard with care,
Exotic deps blocked through the air,
No downgrades slip, security tight,
Configuration made safe and right!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is minimal and lacks the required template sections including the detailed Changes section, Checklist confirmation, and Release Impact declaration specified in the repository template.	Expand the description to follow the template: add a detailed Changes section explaining the motivation, complete the Checklist items, and declare Release Impact (either with a changeset or marking it as dev-only).

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding security-focused pnpm configuration options (blockExoticSubdeps and trustPolicy) to the workspace configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 7617836

Command	Status	Duration	Result
nx run-many --targets=build --exclude=examples/**	✅ Succeeded	<1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-17 13:59:27 UTC

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@tanstack/intent@137

commit: 7617836