Skip to content

security: stricter pnpm config blockExoticSubdeps & trustPolicy#7425

Merged
schiller-manuel merged 1 commit into
mainfrom
stricter-pnpm-deps-config
May 17, 2026
Merged

security: stricter pnpm config blockExoticSubdeps & trustPolicy#7425
schiller-manuel merged 1 commit into
mainfrom
stricter-pnpm-deps-config

Conversation

@Sheraff
Copy link
Copy Markdown
Collaborator

@Sheraff Sheraff commented May 17, 2026
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • Chores
    • Updated workspace configuration settings to enhance dependency management security policies.

Review Change Stack

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 17, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a1644851-070d-4135-b204-aa9a5d63599b

📥 Commits

Reviewing files that changed from the base of the PR and between ee8a675 and 6cbcbf8.

📒 Files selected for processing (1)
  • pnpm-workspace.yaml
📝 Walkthrough

Walkthrough

The PR updates pnpm-workspace.yaml to add two pnpm workspace configuration settings. The blockExoticSubdeps flag is set to true to prevent installation of exotic dependencies, and trustPolicy is set to 'no-downgrade' to ensure dependency resolution does not downgrade packages during installation.

Changes

pnpm Workspace Configuration

Layer / File(s) Summary
Workspace dependency and trust settings
pnpm-workspace.yaml		 Pnpm workspace configuration is updated with blockExoticSubdeps: true and trustPolicy: 'no-downgrade' to enforce dependency resolution policies.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A bunny hops through the workspace config,
With blockExoticSubdeps, no weird deps will flock!
trustPolicy keeps versions strong and true,
Two lines of trust for the whole crew! 🌟

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding stricter pnpm security configurations (blockExoticSubdeps and trustPolicy) to the workspace config.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch stricter-pnpm-deps-config

Comment @coderabbitai help to get the list of available commands and usage tips.

@nx-cloud
Copy link
Copy Markdown
Contributor

nx-cloud Bot commented May 17, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit 6cbcbf8

Command Status Duration Result
nx run-many --target=build --exclude=examples/*... ✅ Succeeded 2m 18s View ↗
nx affected --targets=test:eslint,test:unit,tes... ✅ Succeeded <1s View ↗

☁️ Nx Cloud last updated this comment at 2026-05-17 13:21:30 UTC

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 17, 2026

🚀 Changeset Version Preview

No changeset entries found. Merging this PR will not cause a version bump for any packages.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 17, 2026

More templates

@tanstack/arktype-adapter

npm i https://pkg.pr.new/@tanstack/arktype-adapter@7425

@tanstack/eslint-plugin-router

npm i https://pkg.pr.new/@tanstack/eslint-plugin-router@7425

@tanstack/eslint-plugin-start

npm i https://pkg.pr.new/@tanstack/eslint-plugin-start@7425

@tanstack/history

npm i https://pkg.pr.new/@tanstack/history@7425

@tanstack/nitro-v2-vite-plugin

npm i https://pkg.pr.new/@tanstack/nitro-v2-vite-plugin@7425

@tanstack/react-router

npm i https://pkg.pr.new/@tanstack/react-router@7425

@tanstack/react-router-devtools

npm i https://pkg.pr.new/@tanstack/react-router-devtools@7425

@tanstack/react-router-ssr-query

npm i https://pkg.pr.new/@tanstack/react-router-ssr-query@7425

@tanstack/react-start

npm i https://pkg.pr.new/@tanstack/react-start@7425

@tanstack/react-start-client

npm i https://pkg.pr.new/@tanstack/react-start-client@7425

@tanstack/react-start-rsc

npm i https://pkg.pr.new/@tanstack/react-start-rsc@7425

@tanstack/react-start-server

npm i https://pkg.pr.new/@tanstack/react-start-server@7425

@tanstack/router-cli

npm i https://pkg.pr.new/@tanstack/router-cli@7425

@tanstack/router-core

npm i https://pkg.pr.new/@tanstack/router-core@7425

@tanstack/router-devtools

npm i https://pkg.pr.new/@tanstack/router-devtools@7425

@tanstack/router-devtools-core

npm i https://pkg.pr.new/@tanstack/router-devtools-core@7425

@tanstack/router-generator

npm i https://pkg.pr.new/@tanstack/router-generator@7425

@tanstack/router-plugin

npm i https://pkg.pr.new/@tanstack/router-plugin@7425

@tanstack/router-ssr-query-core

npm i https://pkg.pr.new/@tanstack/router-ssr-query-core@7425

@tanstack/router-utils

npm i https://pkg.pr.new/@tanstack/router-utils@7425

@tanstack/router-vite-plugin

npm i https://pkg.pr.new/@tanstack/router-vite-plugin@7425

@tanstack/solid-router

npm i https://pkg.pr.new/@tanstack/solid-router@7425

@tanstack/solid-router-devtools

npm i https://pkg.pr.new/@tanstack/solid-router-devtools@7425

@tanstack/solid-router-ssr-query

npm i https://pkg.pr.new/@tanstack/solid-router-ssr-query@7425

@tanstack/solid-start

npm i https://pkg.pr.new/@tanstack/solid-start@7425

@tanstack/solid-start-client

npm i https://pkg.pr.new/@tanstack/solid-start-client@7425

@tanstack/solid-start-server

npm i https://pkg.pr.new/@tanstack/solid-start-server@7425

@tanstack/start-client-core

npm i https://pkg.pr.new/@tanstack/start-client-core@7425

@tanstack/start-fn-stubs

npm i https://pkg.pr.new/@tanstack/start-fn-stubs@7425

@tanstack/start-plugin-core

npm i https://pkg.pr.new/@tanstack/start-plugin-core@7425

@tanstack/start-server-core

npm i https://pkg.pr.new/@tanstack/start-server-core@7425

@tanstack/start-static-server-functions

npm i https://pkg.pr.new/@tanstack/start-static-server-functions@7425

@tanstack/start-storage-context

npm i https://pkg.pr.new/@tanstack/start-storage-context@7425

@tanstack/valibot-adapter

npm i https://pkg.pr.new/@tanstack/valibot-adapter@7425

@tanstack/virtual-file-routes

npm i https://pkg.pr.new/@tanstack/virtual-file-routes@7425

@tanstack/vue-router

npm i https://pkg.pr.new/@tanstack/vue-router@7425

@tanstack/vue-router-devtools

npm i https://pkg.pr.new/@tanstack/vue-router-devtools@7425

@tanstack/vue-router-ssr-query

npm i https://pkg.pr.new/@tanstack/vue-router-ssr-query@7425

@tanstack/vue-start

npm i https://pkg.pr.new/@tanstack/vue-start@7425

@tanstack/vue-start-client

npm i https://pkg.pr.new/@tanstack/vue-start-client@7425

@tanstack/vue-start-server

npm i https://pkg.pr.new/@tanstack/vue-start-server@7425

@tanstack/zod-adapter

npm i https://pkg.pr.new/@tanstack/zod-adapter@7425

commit: 6cbcbf8

@schiller-manuel schiller-manuel merged commit 86b5ca0 into main May 17, 2026
10 checks passed
@schiller-manuel schiller-manuel deleted the stricter-pnpm-deps-config branch May 17, 2026 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Sheraff @schiller-manuel