Skip to content

[pnpm] Add security settings to pnpm-workspace.yaml#4929

Merged
Janpot merged 1 commit into
mui:masterfrom
Janpot:pnpm-security
May 28, 2026
Merged

[pnpm] Add security settings to pnpm-workspace.yaml#4929
Janpot merged 1 commit into
mui:masterfrom
Janpot:pnpm-security

Conversation

@Janpot
Copy link
Copy Markdown
Member

@Janpot Janpot commented May 27, 2026

Adds pnpm workspace-level security/hygiene settings to align with renovatebot configuration and supply chain hardening practices. Same change shipped in mui/mui-public#1319 for the tracking issue.

Changes (pnpm-workspace.yaml only)

  • updateNotifier: false — suppresses pnpm update noise in CI and local dev
  • blockExoticSubdeps: true — rejects git/path/tarball URLs in transitive dependencies
  • minimumReleaseAge: 4320 — 4320 minutes (= 3 days), mirrors the security:minimumReleaseAgeNpm renovatebot preset already in use; minimumReleaseAgeExclude carves out @base-ui/* (our own scope) and @mui/internal-* (our shared tooling) so we can pick up fresh internal bumps without waiting
  • trustPolicy: no-downgrade paired with trustPolicyIgnoreAfter: 525600 (365 days) — skips trust checks for packages published more than a year ago, avoiding false positives from widely-used packages (e.g. semver@6.3.1 via @babel/core@7.x, reselect@5.1.1, parts of @octokit/*) that dropped provenance for specific releases. There is a TODO in the file to drop this once upstreams restore provenance / @babel/core stops depending on semver@^6.3.1.

No overrides: were introduced — the trust-downgrade workaround is the policy-only trustPolicyIgnoreAfter, which doesn't change resolved versions and therefore doesn't affect what end users install.

Verified locally: pnpm install, pnpm dedupe --check, pnpm typescript all clean.

@Janpot
[pnpm] Add security settings to pnpm-workspace.yaml
df94610 
Adds workspace-level security/hygiene settings to align with renovatebot
configuration and supply chain hardening practices (mui/mui-public#1273).

- updateNotifier: false — suppress pnpm update noise in CI / local dev
- blockExoticSubdeps: true — reject git/path/tarball URLs in transitive deps
- minimumReleaseAge: 4320 — 3 days, mirroring `security:minimumReleaseAgeNpm`
  used in renovate. minimumReleaseAgeExclude carves out our own published
  scope so we can pick up freshly-published @base-ui/* and @mui/internal-*
  bumps without waiting
- trustPolicy: no-downgrade with trustPolicyIgnoreAfter: 525600 (365 days)
  to skip the trust check for legacy packages (semver@6.x via @babel/core,
  reselect@5.1.1, @octokit/*) that dropped provenance for specific releases.
  Tracked for removal in a TODO comment in pnpm-workspace.yaml.
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 27, 2026

commit: df94610

@code-infra-dashboard
Copy link
Copy Markdown

code-infra-dashboard Bot commented May 27, 2026
edited
Loading

Bundle size

Bundle Parsed size Gzip size
@base-ui/react 0B(0.00%) 0B(0.00%)

Details of bundle changes

Performance

Total duration: 1,147.87 ms -43.50 ms(-3.7%) | Renders: 50 (+0) | Paint: 1,741.90 ms -80.42 ms(-4.4%)

Test Duration Renders
Dialog mount (300 instances) 57.08 ms 🔺+11.07 ms(+24.1%) 1 (+0)

11 tests within noise — details

Check out the code infra dashboard for more information about this PR.

@netlify
Copy link
Copy Markdown

netlify Bot commented May 27, 2026

Deploy Preview for base-ui ready!

Name Link
🔨 Latest commit df94610
🔍 Latest deploy log https://app.netlify.com/projects/base-ui/deploys/6a170fcefc25c800080f525d
😎 Deploy Preview https://deploy-preview-4929--base-ui.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

This was referenced May 27, 2026
Merged
Merged
@Janpot Janpot added the scope: code-infra Involves the code-infra product (https://www.notion.so/mui-org/5562c14178aa42af97bc1fa5114000cd). label May 27, 2026
@Janpot Janpot marked this pull request as ready for review May 27, 2026 17:46
@Janpot Janpot requested a review from a team May 27, 2026 17:47
@Janpot Janpot mentioned this pull request May 27, 2026
Closed
12 tasks
@Janpot Janpot merged commit 200f741 into mui:master May 28, 2026
22 of 23 checks passed
@flaviendelangle flaviendelangle mentioned this pull request Jun 1, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brijeshb42 brijeshb42 brijeshb42 approved these changes

@atomiks atomiks Awaiting requested review from atomiks atomiks is a code owner

@michaldudak michaldudak Awaiting requested review from michaldudak michaldudak is a code owner

@flaviendelangle flaviendelangle Awaiting requested review from flaviendelangle flaviendelangle is a code owner

Assignees

No one assigned

Labels

scope: code-infra Involves the code-infra product (https://www.notion.so/mui-org/5562c14178aa42af97bc1fa5114000cd).

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Janpot @brijeshb42