pnpm-workspace.yaml

packages:
  - "src/web"

# 72-hour quarantine on newly published versions to blunt supply-chain attacks
# (compromised packages typically get yanked within hours of discovery, but the
# longer window catches slow-detection cases too).
# Excludes are scopes we publish ourselves and trust on the same release cadence.
minimumReleaseAge: 4320
minimumReleaseAgeExclude:
  - "@apify/*"
  - "@apify-packages/*"

# Postinstall protection — pnpm only runs build scripts for packages with `: true` here.
# `: false` is an explicit-deny marker; without it, pnpm re-injects a `"set this to true or false"`
# placeholder on every install. New transitives with build scripts surface as placeholders the first
# time they appear — review them, then change to `true` or `false`.
allowBuilds:
  # Postinstall generates the SVG sprite the widget code imports — needed for web build.
  "@apify/ui-icons": true
  # Downloads the sentry-cli binary used by `sentry-cli sourcemaps upload` in CI.
  "@sentry/cli": true
  # Native binary install per platform — esbuild won't run without it.
  esbuild: true
  # Pulled transitively (algoliasearch → ...). Postinstall just patches a long-deprecated
  # `node ./scripts/postinstall` helper; not needed for our use.
  protobufjs: false

# pnpm 11's default is `true`, which fails `pnpm install --frozen-lockfile` whenever a new
# build-script transitive lands. We keep the security benefit (only allowlisted scripts run)
# without making installs flaky on every dependency bump.
strictDepBuilds: false

# Dependency version overrides. pnpm 11 reads these from the workspace manifest, not package.json.
overrides:
  "@modelcontextprotocol/sdk": "1.29.0"

# Required by pnpm v10+ modern `pnpm deploy`: workspace deps get copied ("injected")
# into consumers' node_modules instead of symlinked, so deploy output is portable.
# No effect on installs in this repo today — the root package has no `workspace:*` deps.
injectWorkspacePackages: true