pnpm Supply-Chain Protection
This workspace runs pnpm 11+, which enables several supply-chain defaults that
matter day-to-day. The most visible one is minimumReleaseAge.
Minimum release age
pnpm-workspace.yaml does not override the default, so pnpm uses the v11
shipped default of 1440 minutes (24 hours). Newly published package
versions will not resolve until they are at least one day old. This gives the
ecosystem time to detect and yank compromised releases before any of our
installs pick them up.
In practice this only bites in one scenario: you add or bump a dependency to a version that was published less than 24h ago. The install will fail to resolve.
Escape hatches (in order of preference)
-
Wait it out. If the bump is non-urgent, leave the install for tomorrow. This is the default v11 stance and almost always the right answer.
-
Allowlist a single package. Add the package + minimum version to
minimumReleaseAgeExcludeinpnpm-workspace.yaml:minimumReleaseAgeExclude:- 'some-package@>=1.2.3'This is what
pnpm audit --fixdoes automatically when it patches a high-severity CVE. -
One-shot disable on a single install. If you're pushing a CVE fix and need the install to happen now:
pnpm install --config.minimumReleaseAge=0Does not change the lockfile policy — the next person's install still respects the 24h floor unless they pass the same flag.
-
Disable workspace-wide. Set
minimumReleaseAge: 0inpnpm-workspace.yaml. Only do this if you have a strong reason — it removes the v11 supply-chain default for everyone.
Other v11 defaults worth knowing
-
strictDepBuilds: true— installs fail when a dep wants to run a build script and isn't listed inallowBuilds. To accept a new build script, set it totrueinpnpm-workspace.yaml > allowBuilds; to deny it explicitly, set it tofalse. -
blockExoticSubdeps: true— git/file/exotic transitive deps are blocked. We don't use any, so this is a no-op guardrail. -
auditConfig.ignoreGhsas— if you ever need to ignore an audit finding, use the GitHub Security Advisory ID (e.g.GHSA-xxxx-xxxx-xxxx), not the CVE ID. v10'signoreCvesis no longer recognized.
Where pnpm config lives
All pnpm settings live in pnpm-workspace.yaml. The pnpm field in
package.json and most settings in .npmrc are no longer read in v11. Only
auth/registry config belongs in .npmrc.