Skip to content

security: stricter pnpm config blockExoticSubdeps & trustPolicy#2186

Open
Sheraff wants to merge 1 commit into
TanStack:mainfrom
Sheraff:stricter-pnpm-deps-config
Open

security: stricter pnpm config blockExoticSubdeps & trustPolicy#2186
Sheraff wants to merge 1 commit into
TanStack:mainfrom
Sheraff:stricter-pnpm-deps-config

Conversation

@Sheraff
Copy link
Copy Markdown
Contributor

@Sheraff Sheraff commented May 17, 2026
edited by coderabbitai Bot
Loading

Summary

  • Enable pnpm's no-downgrade trust policy.
  • Block exotic transitive dependencies with blockExoticSubdeps.
  • Remove the redundant danielroe/provenance-action downgrade CI job from PR checks.

Validation

  • pnpm install --frozen-lockfile

Summary by CodeRabbit

  • Chores
    • Updated continuous integration workflow for pull request previews
    • Updated workspace configuration for enhanced dependency management

Review Change Stack

@Sheraff Sheraff requested a review from a team as a code owner May 17, 2026 14:01
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 17, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 19d846d2-1272-46da-bd86-33e3acea6159

📥 Commits

Reviewing files that changed from the base of the PR and between 6f6f85c and 5f41ed7.

📒 Files selected for processing (2)
  • .github/workflows/pr.yml
  • pnpm-workspace.yaml
💤 Files with no reviewable changes (1)
  • .github/workflows/pr.yml
📝 Walkthrough

Walkthrough

This PR updates two independent infrastructure components: it replaces the provenance verification job with a new version preview job in the GitHub Actions workflow, and it adds two pnpm workspace configuration options to enforce dependency security policies.

Changes

CI Workflow Update

Layer / File(s) Summary
Version preview job replacement
.github/workflows/pr.yml		 The provenance job using danielroe/provenance-action is removed and replaced with a new version-preview job that has pull-requests: write permissions and runs a changeset-preview step.

pnpm Workspace Configuration

Layer / File(s) Summary
Dependency security options
pnpm-workspace.yaml		 Two new pnpm workspace configuration options are added: blockExoticSubdeps: true to block exotic subdependencies and trustPolicy: 'no-downgrade' to prevent version downgrades.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit hops through workflows bright,
Swapping jobs from wrong to right,
Pnpm keeps the deps in line—
Security and previews shine! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description lacks the required template structure with proper sections (Changes, Checklist, Release Impact) and is missing critical checklist items and release impact declarations. Restructure the description to match the template with 🎯 Changes, ✅ Checklist, and 🚀 Release Impact sections, and complete all required checklist items.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main security-focused changes: enabling stricter pnpm configuration with blockExoticSubdeps and trustPolicy settings.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@nx-cloud
Copy link
Copy Markdown

nx-cloud Bot commented May 17, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit 5f41ed7

Command Status Duration Result
nx affected --targets=test:sherif,test:knip,tes... ✅ Succeeded 52s View ↗
nx run-many --target=build --exclude=examples/** ✅ Succeeded 1s View ↗

☁️ Nx Cloud last updated this comment at 2026-05-17 14:03:11 UTC

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 17, 2026

More templates

@tanstack/angular-form

npm i https://pkg.pr.new/@tanstack/angular-form@2186

@tanstack/form-core

npm i https://pkg.pr.new/@tanstack/form-core@2186

@tanstack/form-devtools

npm i https://pkg.pr.new/@tanstack/form-devtools@2186

@tanstack/lit-form

npm i https://pkg.pr.new/@tanstack/lit-form@2186

@tanstack/preact-form

npm i https://pkg.pr.new/@tanstack/preact-form@2186

@tanstack/react-form

npm i https://pkg.pr.new/@tanstack/react-form@2186

@tanstack/react-form-devtools

npm i https://pkg.pr.new/@tanstack/react-form-devtools@2186

@tanstack/react-form-nextjs

npm i https://pkg.pr.new/@tanstack/react-form-nextjs@2186

@tanstack/react-form-remix

npm i https://pkg.pr.new/@tanstack/react-form-remix@2186

@tanstack/react-form-start

npm i https://pkg.pr.new/@tanstack/react-form-start@2186

@tanstack/solid-form

npm i https://pkg.pr.new/@tanstack/solid-form@2186

@tanstack/solid-form-devtools

npm i https://pkg.pr.new/@tanstack/solid-form-devtools@2186

@tanstack/svelte-form

npm i https://pkg.pr.new/@tanstack/svelte-form@2186

@tanstack/vue-form

npm i https://pkg.pr.new/@tanstack/vue-form@2186

commit: 5f41ed7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Sheraff