Add trustPolicyExclude for specific packages

[meghprkh]

New pnpm feature which complains for a few packages. Add them as trusted packages while the ecosystem upgrades to new versions of these

🔗 Linked issue

Fixes #1668

❓ Type of change

• 📖 Documentation (updates to the documentation, readme or JSdoc annotations)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality like performance)
• ✨ New feature (a non-breaking change that adds functionality)
• 🧹 Chore (updates to the build process or auxiliary tools and libraries)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

To be fair my pnpm install succeeded but I could not build the project due to tsdown/rollup issues, so this is somewhat of a blind commit

📸 Screenshots (if appropriate)

📝 Checklist

• I have linked an issue or discussion.
• I have updated the documentation accordingly.

Summary by CodeRabbit

• Chores
  • Updated workspace configuration to exclude select packages from dependency trust policy verification, enabling granular control over transitive dependency validation across the project.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new trustPolicyExclude configuration entry was added to pnpm-workspace.yaml, listing four packages with specific versions to be excluded from trust policy verification checks, addressing a high-risk trust downgrade detection.

Changes

Cohort / File(s)	Summary
Trust Policy Configuration pnpm-workspace.yaml	Added trustPolicyExclude field containing four package entries (with versions) to exclude from trust policy validation checks.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 With whiskers twitched and hop, hop, hops,
We've patched the trust that came to stops,
Four packages now safely freed,
From verification's prying creed!
The config hops along so bright, 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change in the pull request - adding trustPolicyExclude entries to pnpm-workspace.yaml for specific packages.
Linked Issues check	✅ Passed	The PR addresses the core objective from issue #1668 by adding trustPolicyExclude entries to suppress pnpm trust-downgrade warnings for affected packages including chokidar@4.0.3.
Out of Scope Changes check	✅ Passed	The changes are within scope - only modifying pnpm-workspace.yaml to add trustPolicyExclude configuration, directly addressing the trust-downgrade issue without unrelated alterations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pnpm-workspace.yaml`:
- Around line 58-62: Update the trustPolicyExclude list so entries match actual
workspace deps: remove the nonexistent entry "koa@2.16.3"; change "semver@6.3.1"
to a workspace-compatible version such as "semver@7.7.3" (or the exact semver
range from your lockfile/ packages/cli); and replace "tailwindcss@3.4.18" with
the 4.x entry used by the main packages (e.g., "tailwindcss@^4.1.17" or the
exact 4.x version from your lockfile); keep "chokidar@4.0.3" as-is if it matches
the lockfile. Ensure each excluded spec exactly matches the versions/ranges in
the lockfile so the trustPolicyExclude entries are effective.