pnpm-workspace.yaml

packages:
  - packages/*
  - .claude/hooks/*

# Packages allowed to run build scripts (pnpm v11 strictDepBuilds default).
allowBuilds:
  docsify: false
  esbuild: true
  onnxruntime-node: true

# Refuse to run if the pnpm version on PATH differs from the packageManager
# field in package.json. Our setup action pins pnpm via external-tools.json;
# any drift should fail fast, not silently auto-download via @pnpm/exe
# (which in rc.5 leaves a placeholder launcher that errors at runtime).
pmOnFail: error

catalog:
  '@anthropic-ai/claude-code': 2.1.92
  '@babel/core': 7.28.4
  '@babel/types': 7.28.5
  '@biomejs/biome': 2.2.4
  '@dotenvx/dotenvx': 1.31.0
  '@sinclair/typebox': 0.34.49
  '@socketregistry/packageurl-js': 1.4.2
  '@socketregistry/packageurl-js-stable': npm:@socketregistry/packageurl-js@1.4.2
  '@socketsecurity/lib': 6.0.0
  '@socketsecurity/lib-stable': npm:@socketsecurity/lib@6.0.0
  '@socketsecurity/registry': 2.0.2
  '@socketsecurity/registry-stable': npm:@socketsecurity/registry@2.0.2
  '@socketsecurity/sdk': 4.0.1
  '@socketsecurity/sdk-stable': npm:@socketsecurity/sdk@4.0.1
  '@types/adm-zip': 0.5.7
  '@types/mdast': 4.0.4
  '@types/node': 24.9.2
  '@typescript/native-preview': 7.0.0-dev.20260415.1
  '@vitest/coverage-v8': 4.0.3
  '@vitest/ui': 4.1.6
  acorn: 8.14.0
  acorn-walk: 8.3.4
  adm-zip: 0.5.16
  ecc-agentshield: 1.4.0
  esbuild: 0.25.11
  magic-string: 0.30.19
  'mdast-util-from-markdown': 2.0.3
  'micromark': 4.0.2
  'npm-run-all2': 9.0.0
  octokit: 5.0.5
  'oxfmt': 0.37.0
  'oxlint': 1.52.0
  tar: 7.4.3
  'taze': 19.9.2
  vitest: 4.0.3
  yoctocolors-cjs: 2.1.3
# Resolve to the highest version that satisfies the range, fleet-wide.
resolutionMode: highest

# Wait 7 days (10080 minutes) before installing newly published packages.
minimumReleaseAge: 10080
minimumReleaseAgeExclude:
  - '@anthropic-ai/claude-code@2.1.92'
  - '@socketaddon/*'
  - '@socketbin/*'
  - '@socketregistry/*'
  - '@socketsecurity/*'
  # Network-mocking lib used in fleet test suites. v15 betas pre-date
  # npm's `time` field for the major; allow pinned beta until v15 GA.
  - 'nock@15.0.0-beta.11'
  - 'npm-run-all2@9.0.0'

# Refuse transitive dependencies declared via git/tarball/local-tarball
# specs — an npm package shouldn't be allowed to drag in a git URL we
# don't control (bypasses npm registry validation, no provenance, no
# soak window). Direct git deps are still allowed (the test suite at
# pnpm/pkg-manager/core/test/install/blockExoticSubdeps.ts confirms
# this). pnpm's current default is `false`; declared explicitly so a
# future flip can't silently change install behavior.
blockExoticSubdeps: true

# Dependency overrides (migrated from package.json pnpm.overrides).
# Force every consumer of Socket's own packages to resolve through the
# catalog-pinned published versions. The `catalog:` form rewrites
# `workspace:*`, `^x.y.z`, and bare-version specs alike to the version
# in the default `catalog:` block above. This defeats accidental
# local-checkout resolution when a sibling repo is on disk.
overrides:
  '@socketregistry/packageurl-js': 'catalog:'
  '@socketsecurity/lib': 'catalog:'
  '@socketsecurity/registry': 'catalog:'
  '@socketsecurity/sdk': 'catalog:'
  # advisory #23 (medium) — got 11.8.5 fix; bump to latest 11.x patch
  'got': '11.8.6'
  'postcss': '8.5.10'
  'tar': '7.5.11'
  'vite': '7.3.2'
trustPolicy: no-downgrade
trustPolicyExclude:
  - semver@6.3.1
  - 'compromise@14.15.0'

# Auto-install missing peer deps (pnpm default). Declared explicitly
# so a future default flip can't silently change install behavior.
autoInstallPeers: true

# Run pre/post lifecycle scripts on the workspace root (e.g.
# prepare -> husky). This is the pnpm default; declared explicitly
# so a future default flip can't silently disable husky setup.
enablePrePostScripts: true

# Pin exact versions on `pnpm add`. Catalog and overrides should
# also be exact pins (5.24.0, not ^5.24.0).
saveExact: true