forked from conventional-changelog/commitlint
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.npmrc
More file actions
19 lines (18 loc) · 981 Bytes
/
Copy path.npmrc
File metadata and controls
19 lines (18 loc) · 981 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Supply-chain hardening.
# - strict-dep-builds: fail install if a dependency tries to run a build script
# that isn't listed in pnpm-workspace.yaml's allowBuilds. Turns the default
# "warn and continue" into a hard stop so a new transitive postinstall must
# be reviewed before it lands.
# - verify-deps-before-run: refuse to run pnpm scripts when node_modules
# diverges from the lockfile, catching the "edited package.json, forgot
# to install" drift class.
# - resolution-mode: when resolving a range, prefer the version that was
# current as of the most-recent direct dep publish. Limits exposure to a
# compromised brand-new release of a transitive dependency.
strict-dep-builds=true
verify-deps-before-run=error
resolution-mode=time-based
# Enforce engines.node and engines.pnpm at install time. Without this the
# fields are advisory; with it pnpm refuses to install on a mismatched runtime,
# turning the soft contract into a hard floor.
engine-strict=true