chore: add pnpm security settings for supply chain attack prevention (#828)

ryoppippi · web-flow · commit 5bcc1952239a · 2026-01-27T18:08:16.000Z
diff --git a/package.json b/package.json
@@ -7,7 +7,7 @@
 		"apps/*",
 		"docs"
 	],
-	"packageManager": "pnpm@10.24.0",
+	"packageManager": "pnpm@10.28.2+sha512.41872f037ad22f7348e3b1debbaf7e867cfd448f2726d9cf74c08f19507c31d2c8e7a11525b983febc2df640b5438dee6023ebb1f84ed43cc2d654d2bc326264",
 	"scripts": {
 		"build": "pnpm run --filter '*' build",
 		"docs:dev": "pnpm run --filter docs dev",
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -75,10 +75,17 @@ enablePrePostScripts: true
 
 minimumReleaseAge: 2880
 
-onlyBuiltDependencies:
-  - esbuild
-  - sharp
-  - sqlite3
-  - workerd
+# Security settings for supply chain attack prevention
+strictDepBuilds: true
+blockExoticSubdeps: true
+trustPolicy: no-downgrade
+
+# Explicitly allow build scripts for packages that require them
+# (replaces onlyBuiltDependencies)
+allowBuilds:
+  esbuild: true
+  sharp: true
+  sqlite3: true
+  workerd: true
 
 shellEmulator: true
