react-doctor/require-pnpm-hardening
pnpm project is missing supply-chain hardening in pnpm-workspace.yaml — set `minimumReleaseAge`, keep `blockExoticSubdeps: true`, and set `trustPolicy: no-downgrade`
- Category: Security
- Severity: warn
- Source:
react-doctor-core - Framework: global
- Enabled when: always (pnpm-managed project)
- Documentation: https://pnpm.io/settings
Validation prompt
Use this to decide whether a fired diagnostic is real or a false positive.
Project-level supply-chain check that fires on pnpm-managed repos (detected via pnpm-lock.yaml, pnpm-workspace.yaml, or a "packageManager": "pnpm@…" field) and emits one diagnostic per weak setting in pnpm-workspace.yaml: (1) minimumReleaseAge absent, (2) blockExoticSubdeps: false, or (3) trustPolicy absent or set to anything other than no-downgrade. Each is a genuine registry-side exposure, so CONFIRM on any project that installs third-party packages. SUPPRESS only when equivalent hardening is enforced where the per-file YAML parser can't see it — an org-wide .npmrc / registry proxy or private mirror that already delays and vets releases and pins trust — or for a documented throwaway/sandbox repo where the supply-chain surface is intentionally accepted. Note the check reads the literal YAML values, so a setting injected dynamically (CI overlay, generated workspace file) may need manual confirmation.
Fix prompt
Use this once validation confirms the diagnostic is real.
Add the missing keys to pnpm-workspace.yaml and re-lock with pnpm install: set minimumReleaseAge: 10080 (7 days) so freshly published — and quickly-unpublished-malware — versions aren't installed the moment they land; set trustPolicy: no-downgrade so pnpm refuses packages whose provenance/signature trust weakens between resolutions; and leave blockExoticSubdeps: true (the recent-pnpm default) — never set it to false, which lets transitive deps come from git:/file:/tarball URLs that bypass the registry. These narrow the window and surface for supply-chain attacks without changing your dependency set. See https://pnpm.io/settings
Related rules
More Security rules from the rules reference:
react-doctor/secret-in-fallback: Hardcoded secret fallback for env varreact-doctor/supabase-client-owned-authz-field: When the client writes authorization columns (`ownerId`, `orgId`, `role`, `isAdmin`) to Supabase, an attacker can forge them and escalate their own access.react-doctor/supabase-rls-policy-risk: A Supabase policy that disables row-level security, exposes the service role, or uses a `(true)` write predicate lets clients read or modify data that is not theirs.react-doctor/supabase-table-missing-rls: Supabase table created without Row Level Securityreact-doctor/svg-filter-clickjacking-risk: Applying CSS or SVG filters over a cross-origin iframe can be used for clickjacking or to read pixels from framed content the attacker should not see.