# `react-doctor/require-pnpm-hardening` pnpm project is missing supply-chain hardening in pnpm-workspace.yaml — set `minimumReleaseAge`, keep `blockExoticSubdeps: true`, and set `trustPolicy: no-downgrade` - **Category:** Security - **Severity:** warn - **Source:** react-doctor-core - **Framework:** global - **Enabled when:** always (pnpm-managed project) - **Documentation:** ## Validation prompt Use this to decide whether a fired diagnostic is real or a false positive. Project-level supply-chain check that fires on pnpm-managed repos (detected via pnpm-lock.yaml, pnpm-workspace.yaml, or a `"packageManager": "pnpm@…"` field) and emits one diagnostic per weak setting in pnpm-workspace.yaml: (1) `minimumReleaseAge` absent, (2) `blockExoticSubdeps: false`, or (3) `trustPolicy` absent or set to anything other than `no-downgrade`. Each is a genuine registry-side exposure, so CONFIRM on any project that installs third-party packages. SUPPRESS only when equivalent hardening is enforced where the per-file YAML parser can't see it — an org-wide `.npmrc` / registry proxy or private mirror that already delays and vets releases and pins trust — or for a documented throwaway/sandbox repo where the supply-chain surface is intentionally accepted. Note the check reads the literal YAML values, so a setting injected dynamically (CI overlay, generated workspace file) may need manual confirmation. ## Fix prompt Use this once validation confirms the diagnostic is real. Add the missing keys to `pnpm-workspace.yaml` and re-lock with `pnpm install`: set `minimumReleaseAge: 10080` (7 days) so freshly published — and quickly-unpublished-malware — versions aren't installed the moment they land; set `trustPolicy: no-downgrade` so pnpm refuses packages whose provenance/signature trust weakens between resolutions; and leave `blockExoticSubdeps: true` (the recent-pnpm default) — never set it to `false`, which lets transitive deps come from `git:`/`file:`/tarball URLs that bypass the registry. These narrow the window and surface for supply-chain attacks without changing your dependency set. See https://pnpm.io/settings