security: enable pnpm's no-downgrade trustPolicy #1333
Conversation
✅ Deploy Preview for rslib ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull Request Overview
This PR enhances security by enabling pnpm's no-downgrade trustPolicy, which prevents installing potentially compromised downgraded versions of packages. The pnpm package manager is upgraded from version 10.21.0 to 10.22.0 to support this feature.
- Added
trustPolicy: no-downgradesetting to pnpm workspace configuration - Updated pnpm version requirement from 10.21.0 to 10.22.0
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pnpm-workspace.yaml | Adds trustPolicy: no-downgrade configuration to enable security protection against package downgrades |
| package.json | Updates pnpm version from 10.21.0 to 10.22.0 in both packageManager field and engines requirement to support the new trustPolicy feature |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
We can exclude chokidar: https://github.com/web-infra-dev/rslib/actions/runs/19322701784/job/55267109693?pr=1333#step:8:7 |
There are many packages similar to chokidar, it might result in a very long list to config. The problem here is why running |
|
Get, we can wait for pnpm to fix the |
Summary
Enable pnpm's new
no-downgradetrustPolicy. This helps prevent installing potentially compromised versions of a package.Related Links
Checklist