Skip to content

[pnpm] Add security settings to pnpm-workspace.yaml#48582

Merged
Janpot merged 1 commit into
mui:masterfrom
Janpot:pnpm-security
May 28, 2026
Merged

[pnpm] Add security settings to pnpm-workspace.yaml#48582
Janpot merged 1 commit into
mui:masterfrom
Janpot:pnpm-security

Conversation

@Janpot
Copy link
Copy Markdown
Member

@Janpot Janpot commented May 27, 2026

Adds pnpm workspace-level security/hygiene settings to align with renovatebot configuration and supply chain hardening practices. Same change shipped in mui/mui-public#1319 for the tracking issue; base-ui equivalent at mui/base-ui#4929.

Changes (pnpm-workspace.yaml only)

  • updateNotifier: false — suppresses pnpm update noise in CI and local dev
  • blockExoticSubdeps: true — rejects git/path/tarball URLs in transitive dependencies
  • minimumReleaseAge: 4320 — 4320 minutes (= 3 days), mirrors the security:minimumReleaseAgeNpm renovatebot preset already in use; minimumReleaseAgeExclude carves out @mui/* (our published scope) and @base-ui/* so we can pick up fresh own-package bumps without waiting
  • trustPolicy: no-downgrade paired with trustPolicyIgnoreAfter: 525600 (365 days) — skips trust checks for packages published more than a year ago, avoiding false positives from widely-used packages (e.g. semver@6.3.1 via @babel/core@7.x, reselect@5.1.1, parts of @octokit/*) that dropped provenance for specific releases. TODO in the file to drop once upstreams restore provenance.

No overrides: introduced — trustPolicyIgnoreAfter is a policy-only setting that doesn't change resolved versions, so end-user installs are unaffected.

Verified locally: pnpm install, pnpm dedupe --check clean.

@Janpot
[pnpm] Add security settings to pnpm-workspace.yaml
6403ff2 
Adds workspace-level security/hygiene settings to align with renovatebot
configuration and supply chain hardening practices (mui/mui-public#1273).

- updateNotifier: false — suppress pnpm update noise in CI / local dev
- blockExoticSubdeps: true — reject git/path/tarball URLs in transitive deps
- minimumReleaseAge: 4320 — 3 days, mirroring security:minimumReleaseAgeNpm
  used in renovate. minimumReleaseAgeExclude carves out @mui/* and @base-ui/*
  so we can pick up freshly published own packages without waiting
- trustPolicy: no-downgrade with trustPolicyIgnoreAfter: 525600 (365 days)
  to skip the trust check for legacy packages (semver@6.x via @babel/core,
  reselect@5.1.1, @octokit/*) that dropped provenance for specific releases.
  Tracked for removal in a TODO comment in pnpm-workspace.yaml.
@code-infra-dashboard
Copy link
Copy Markdown

code-infra-dashboard Bot commented May 27, 2026

Deploy preview

https://deploy-preview-48582--material-ui.netlify.app/

Bundle size

Bundle Parsed size Gzip size
@mui/material 0B(0.00%) 0B(0.00%)
@mui/lab 0B(0.00%) 0B(0.00%)
@mui/private-theming 0B(0.00%) 0B(0.00%)
@mui/system 0B(0.00%) 0B(0.00%)
@mui/utils 0B(0.00%) 0B(0.00%)

Details of bundle changes

Check out the code infra dashboard for more information about this PR.

@Janpot Janpot added the scope: code-infra Involves the code-infra product (https://www.notion.so/mui-org/5562c14178aa42af97bc1fa5114000cd). label May 27, 2026
@Janpot Janpot requested a review from a team May 27, 2026 17:48
@Janpot Janpot marked this pull request as ready for review May 27, 2026 17:48
@Janpot Janpot mentioned this pull request May 27, 2026
Closed
12 tasks
@Janpot Janpot merged commit c72ffa0 into mui:master May 28, 2026
18 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brijeshb42 brijeshb42 brijeshb42 approved these changes

Assignees

No one assigned

Labels

scope: code-infra Involves the code-infra product (https://www.notion.so/mui-org/5562c14178aa42af97bc1fa5114000cd).

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Janpot @brijeshb42