react-doctor/require-pnpm-hardening

pnpm project is missing supply-chain hardening in pnpm-workspace.yaml — set `minimumReleaseAge`, keep `blockExoticSubdeps: true`, and set `trustPolicy: no-downgrade`

  • Category: Security
  • Severity: warn
  • Source: react-doctor-core
  • Framework: global
  • Enabled when: always (pnpm-managed project)
  • Documentation: https://pnpm.io/settings

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Project-level supply-chain check that fires on pnpm-managed repos (detected via pnpm-lock.yaml, pnpm-workspace.yaml, or a "packageManager": "pnpm@…" field) and emits one diagnostic per weak setting in pnpm-workspace.yaml: (1) minimumReleaseAge absent, (2) blockExoticSubdeps: false, or (3) trustPolicy absent or set to anything other than no-downgrade. Each is a genuine registry-side exposure, so CONFIRM on any project that installs third-party packages. SUPPRESS only when equivalent hardening is enforced where the per-file YAML parser can't see it — an org-wide .npmrc / registry proxy or private mirror that already delays and vets releases and pins trust — or for a documented throwaway/sandbox repo where the supply-chain surface is intentionally accepted. Note the check reads the literal YAML values, so a setting injected dynamically (CI overlay, generated workspace file) may need manual confirmation.

Fix prompt

Use this once validation confirms the diagnostic is real.

Add the missing keys to pnpm-workspace.yaml and re-lock with pnpm install: set minimumReleaseAge: 10080 (7 days) so freshly published — and quickly-unpublished-malware — versions aren't installed the moment they land; set trustPolicy: no-downgrade so pnpm refuses packages whose provenance/signature trust weakens between resolutions; and leave blockExoticSubdeps: true (the recent-pnpm default) — never set it to false, which lets transitive deps come from git:/file:/tarball URLs that bypass the registry. These narrow the window and surface for supply-chain attacks without changing your dependency set. See https://pnpm.io/settings