security: stricter pnpm config blockExoticSubdeps & trustPolicy by Sheraff · Pull Request #220 · TanStack/pacer

Sheraff · 2026-05-17T13:59:09Z

Enables pnpm's no-downgrade trust policy and blocks exotic transitive dependencies via blockExoticSubdeps.

Summary by CodeRabbit

Chores
- Updated workspace configuration settings for improved dependency management and security controls.

coderabbitai · 2026-05-17T13:59:21Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fe7ab175-dda3-457c-b158-e2483e450a72

📥 Commits

Reviewing files that changed from the base of the PR and between a894009 and 028a254.

📒 Files selected for processing (1)

pnpm-workspace.yaml

📝 Walkthrough

Walkthrough

The workspace configuration adds two new top-level pnpm settings to enforce stricter dependency management: blockExoticSubdeps: true prevents exotic subdependencies, and trustPolicy: 'no-downgrade' enforces trust policy constraints for all workspace packages.

Changes

Workspace Dependency Security Settings

Layer / File(s)	Summary
Workspace safety settings `pnpm-workspace.yaml`	Adds `blockExoticSubdeps: true` to block exotic subdependencies and `trustPolicy: 'no-downgrade'` to enforce no-downgrade trust policy across the workspace.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A rabbit hops through config files,
With two lines added, all smiles—
Exotic deps blocked with care,
Trust policy in the air,
Dependencies safe and bright! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The provided description is minimal and lacks the required template structure with sections for detailed changes, checklist items, and release impact assessment.	Expand the description to follow the template: add a detailed '🎯 Changes' section explaining the motivation, complete the '✅ Checklist', and specify the '🚀 Release Impact' (whether a changeset is needed).

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding stricter pnpm configuration settings (blockExoticSubdeps and trustPolicy) for security purposes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

nx-cloud · 2026-05-17T13:59:47Z

View your CI Pipeline Execution ↗ for commit 028a254

Command	Status	Duration	Result
`nx run-many --targets=build --exclude=examples/**`	✅ Succeeded	1s	View ↗

☁️ Nx Cloud last updated this comment at 2026-05-17 13:59:47 UTC

pkg-pr-new · 2026-05-17T14:00:44Z

More templates

@tanstack/angular-pacer

npm i https://pkg.pr.new/@tanstack/angular-pacer@220

@tanstack/pacer

npm i https://pkg.pr.new/@tanstack/pacer@220

@tanstack/pacer-devtools

npm i https://pkg.pr.new/@tanstack/pacer-devtools@220

@tanstack/pacer-lite

npm i https://pkg.pr.new/@tanstack/pacer-lite@220

@tanstack/preact-pacer

npm i https://pkg.pr.new/@tanstack/preact-pacer@220

@tanstack/preact-pacer-devtools

npm i https://pkg.pr.new/@tanstack/preact-pacer-devtools@220

@tanstack/react-pacer

npm i https://pkg.pr.new/@tanstack/react-pacer@220

@tanstack/react-pacer-devtools

npm i https://pkg.pr.new/@tanstack/react-pacer-devtools@220

@tanstack/solid-pacer

npm i https://pkg.pr.new/@tanstack/solid-pacer@220

@tanstack/solid-pacer-devtools

npm i https://pkg.pr.new/@tanstack/solid-pacer-devtools@220

commit: 028a254

security: stricter pnpm config blockExoticSubdeps & trustPolicy

028a254

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

security: stricter pnpm config blockExoticSubdeps & trustPolicy#220

security: stricter pnpm config blockExoticSubdeps & trustPolicy#220
Sheraff wants to merge 1 commit into
TanStack:mainfrom
Sheraff:stricter-pnpm-deps-config

Sheraff commented May 17, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

coderabbitai Bot commented May 17, 2026 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

Poem

❌ Failed checks (1 warning)

Uh oh!

nx-cloud Bot commented May 17, 2026 •

edited

Loading

Uh oh!

pkg-pr-new Bot commented May 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

Sheraff commented May 17, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented May 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Poem

❌ Failed checks (1 warning)

Uh oh!

nx-cloud Bot commented May 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pkg-pr-new Bot commented May 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Sheraff commented May 17, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 17, 2026 •

edited

Loading

nx-cloud Bot commented May 17, 2026 •

edited

Loading