chore(e2e): pin transitive deps to trusted-publisher floor

[jacekradko]

Following the 2026-05-11 mini Shai-Hulud npm worm (Socket.dev advisory), pnpm 10.33's new trust-downgrade check started failing every staging E2E fixture install on resolutions of vite, semver, chokidar, undici-types, and tailwind-merge. Older versions of these packages lack the trustedPublisher evidence newer versions carry, which pnpm now treats as a possible package-takeover signal.

Centralizes the fix in integration/models/applicationConfig.ts#commit(): every tmp fixture install gets a pnpm.overrides block pinning those five transitives to their trusted-publisher floor (vite@7.3.3, semver@7.7.4, chokidar@5.0.0, undici-types@7.24.8, tailwind-merge@3.4.0). The same overrides land in root package.json to protect the workspace install. Templates and playgrounds are untouched, since the policy is applied at install time rather than declaration time.

Verified with pnpm install at the workspace root and an isolated smoke-test install of the react-vite template in /tmp. Both exit 0 with no trust-downgrade, and vite resolves to 7.3.3 as expected.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	May 12, 2026 0:52am

[changeset-bot]

🦋 Changeset detected

Latest commit: 93b90dd

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 965beb50-1325-44b8-9b80-0380403f37b1

📥 Commits

Reviewing files that changed from the base of the PR and between a27b20e and 93b90dd.

📒 Files selected for processing (1)

• .changeset/pin-trusted-publisher-deps.md

✅ Files skipped from review due to trivial changes (1)

• .changeset/pin-trusted-publisher-deps.md

---

📝 Walkthrough

Walkthrough

This PR introduces dependency version pinning to address pnpm 10's trust-downgrade checks. A new TRUSTED_OVERRIDES constant is defined in integration/constants.ts with version mappings for five dependencies. The applicationConfig().commit() method is refactored to always merge these overrides into generated app package.json files. The root package.json is updated with matching pnpm.overrides entries. A changeset entry documents the requirement for maintainers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: pinning transitive dependencies to trusted-publisher floor versions to resolve pnpm trust-downgrade failures.
Description check	✅ Passed	The description comprehensively explains the context (Socket.dev advisory, pnpm 10.33 trust-downgrade check), the solution, affected packages with their versions, implementation details, and verification steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8522

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8522

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8522

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8522

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8522

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8522

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8522

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8522

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8522

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8522

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8522

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8522

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8522

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8522

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8522

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8522

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8522

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8522

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8522

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8522

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8522

commit: 93b90dd