security: stricter pnpm config blockExoticSubdeps & trustPolicy

Sheraff · Sheraff · commit 8737cb2ef5d2 · 2026-05-17T16:06:49.000+02:00
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -48,18 +48,6 @@ jobs:
         run: pnpm run build:all
       - name: Publish Previews
         run: pnpx pkg-pr-new@0.0.71 publish --pnpm './packages/*' --template './examples/*/*'
-  provenance:
-    name: Provenance
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - name: Check Provenance
-        uses: danielroe/provenance-action@41bcc969e579d9e29af08ba44fcbfdf95cee6e6c # v0.1.1
-        with:
-          fail-on-downgrade: true
   version-preview:
     name: Version Preview
     runs-on: ubuntu-latest
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -1,6 +1,8 @@
 cleanupUnusedCatalogs: true
 linkWorkspacePackages: true
 preferWorkspacePackages: true
+blockExoticSubdeps: true
+trustPolicy: 'no-downgrade'
 
 packages:
   - examples/**/*
