# This is the workspace definition for the client release group. See https://pnpm.io/pnpm-workspace_yaml for more # information about the format. # # Guidelines for updating this file: # # 1. Keep the entries alphabetical wherever possible. # 2. Be careful when using globs that end with "**". E.g. "packages/**". Doing so can include unexpected packages. This # is especially true of packages for which we build ESM and CJS. Such packages sometimes have package.json files in # their source or output directories during compilation. # 3. Most of these setting are important from a supply chain security perspective. # Edit with care, and see /DEV.md and https://pnpm.io/settings for more information. allowBuilds: '@azure/msal-node-extensions': true '@azure/msal-node-runtime': true '@biomejs/biome': true '@parcel/watcher': true '@vvago/vale': true classic-level: true core-js: true esbuild: true keytar: true msgpackr-extract: true puppeteer: true unrs-resolver: true blockExoticSubdeps: true catalogs: # Build-tools packages buildTools: "@fluid-tools/build-cli": ^0.65.0 "@fluid-tools/build-infrastructure": ^0.65.0 "@fluid-tools/version-tools": ^0.65.0 "@fluidframework/build-tools": ^0.65.0 # eslint and related packages eslint: "@fluidframework/eslint-config-fluid": "^13.0.0" "eslint": "~9.39.1" "eslint-config-prettier": "~10.1.8" # Type definitions types: "@types/node": "~22.19.17" engineStrict: true frozenLockfile: true linkWorkspacePackages: true # Minimum age, in minutes, of dependencies before they can be installed. # See /DEV.md and https://pnpm.io/settings#minimumreleaseage more information. minimumReleaseAge: 1440 minimumReleaseAgeExclude: [ # Temporary exceptions go here as needed. ] overrides: # @fluentui/react-positioning's dependency on @floating-ui/dom causes a peer dependency violation, # so overriding it forces a version that meets peer dependency requirements to be installed. "@fluentui/react-positioning>@floating-ui/dom": ~1.5.4 # Uncomment all or some below and run `pnpm install --no-frozen-lockfile` to apply # these overrides to use locally built build-tools packages. # "@fluid-tools/build-cli": "link:./build-tools/packages/build-cli" # "@fluid-tools/build-infrastructure": "link:./build-tools/packages/build-infrastructure" # "@fluid-tools/version-tools": "link:./build-tools/packages/version-tools" # "@fluidframework/build-tools": "link:./build-tools/packages/build-tools" # node types are forced to a consistent version to avoid conflicts between globals. "@types/node": catalog:types # axios pre-1.0 needs an override to stay current on a version with no reported CVEs. # Caret dependencies aren't enough on a pre-1.0 package. axios@<0.30.0: ^0.30.0 # Force vulnerable axios ^1.15.0 requests to the patched 1.15.1. axios@^1.15.0: 1.15.1 # diff is overridden to patched versions to resolve a known ReDoS vulnerability. diff@3.x and diff@7.x # have no fix in their major range so they are bumped to the nearest patched major. diff@>=3 <4: ^4.0.4 diff@>=5 <6: ^5.2.2 diff@>=7 <8: ^8.0.3 diff@>=8 <9: ^8.0.3 # express is overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2. express@>=4 <5: ^4.22.1 # Resolve multiple CVEs in 4.5.3 (entity encoding bypass, DoS via entity expansion, stack overflow). # Stays within @langchain/anthropic's declared ^4.4.1 range. fast-xml-parser: ^4.5.4 # nodegit is replaced with an empty package here because it's currently only used by good-fences for # features we do not need, and has issues building when changing node versions. # See https://github.com/smikula/good-fences/issues/105 for details. # Note that using '-' to completely drop it results in build failures complaining about nodegit not being there. good-fences>nodegit: npm:empty-npm-package@1.0.0 # Resolve a known security vulnerability. # The consumer declares ^0.3.x so the override is needed to cross the minor version boundary. langsmith: ^0.5.15 # Resolve a known security vulnerability. minimatch@>=3 <4: ^3.1.5 minimatch@>=5 <6: ^5.1.9 minimatch@>=6 <7: ^6.2.3 minimatch@>=7 <8: ^7.4.9 minimatch@>=8 <9: ^8.0.7 minimatch@>=9 <10: ^9.0.9 minimatch@>=10 <11: ^10.2.4 # Resolve known security vulnerabilities. node-forge: ^1.4.0 # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. # This helps reduce lockfile churn since the deps release very frequently. oclif>@aws-sdk/client-cloudfront: "-" oclif>@aws-sdk/client-s3: "-" # Resolve a known security vulnerability. picomatch@>=2 <3: ^2.3.2 picomatch@>=4 <5: ^4.0.4 # Resolve a known vulnerability in older versions. qs: ^6.15.0 # Resolve GHSA-5c6j-r48x-rmvq. # No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support). serialize-javascript@>=6 <7: ^7.0.4 # Resolve a CG alert. simple-git: ^3.32.3 # codemirror and marked overrides are because simplemde uses * versions, and the fully up-to-date # versions of its deps do not work. packageExtensions was tried to fix this, but did not work. simplemde>codemirror: ^5.65.11 simplemde>marked: ^4.3.0 # Resolve command injection vulnerabilities. systeminformation: ^5.31.0 # Security overrides to address path traversal CVEs (GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w, # GHSA-34x7-hfp2-rc4v). tar: ^7.5.11 packages: - "azure/packages/**" - "examples/**" - "experimental/**" - "packages/**" - "tools/markdown-magic" # exclude bundle-analysis output directories, which can contain package.json files from # webpack bundle stats (e.g. examples/utils/bundle-size-tests). - "!**/bundleAnalysis/**" # exclude the inner FluidFramework enlistment used by examples/utils/bundle-size-tests for # cross-revision bundle comparison (see `flub generate bundleAnalysisReposWithComparison`, which clones # the inner repo into /base-repo). - "!**/compareBundlesOutput/**" # exclude any package.json files that are inside src or output directories - "!**/dist/**" - "!**/lib/**" - "!**/src/**" # exclude sub-workspaces for compat tests — these are managed separately with their own lockfiles - "!**/compat-workspaces/**" patchedDependencies: '@microsoft/api-extractor@7.58.1': patches/@microsoft__api-extractor@7.58.1.patch peerDependencyRules: # The react-split-pane package used by devtools-view has a peer dependency on React 16, but it doesn't # seem to be maintained and it works fine with React 18. TODO: AB#18876 allowedVersions: react: 18.3.1 react-dom: 18.3.1 ignoreMissing: # @types/node is ignored because it is usually not needed by packages, and if it is, then the # package will hit a compilation failure. - '@types/node' # Peer dependencies on fluid-framework are never fulfilled since that's an in-repo dependency; # we expect a customer using some packages to install it as a dependency. - fluid-framework # markdown-magic is provided by another dependency so is ignored here. - markdown-magic # oclif includes some AWS-related features, but we don't use them, so we ignore @aws-sdk peer # dependencies. - '@aws-sdk/*' # Hoist these dependencies to the root workspace publicHoistPattern: - '@arethetypeswrong/cli' resolutionMode: highest strictDepBuilds: true strictPeerDependencies: true # See: https://github.com/orgs/pnpm/discussions/11084 for some discussion. # Enabling no-downgrade requires every transitive trust-policy violation to either be remediated # at the source or excluded below with a documented rationale. Run `flub check trustPolicy` to # surface current violations. trustPolicy: no-downgrade trustPolicyExclude: # @octokit/endpoint@9.0.6 (published 2025-02-14, by octokitbot) — pipeline regression. # Prior trusted: @octokit/endpoint@10.1.3 (provenance, 2025-02-13, by octokitbot), with # verified provenance from octokit/endpoint.js .github/workflows/release.yml @ refs/heads/main. # Same publisher account (octokitbot); the v9 maintenance branch publish bypassed release.yml. # Pulled in transitively via danger@13 → @octokit/rest@20 → @octokit/core@5 → @octokit/request@8. # No reachable direct-dep bump escapes this without overriding @octokit/rest itself. - "@octokit/endpoint@9.0.6" # axios@0.30.3 is the last legitimate 0.30.x release (published 2026-02-18). The trust # downgrade fires because 0.30.x was published via direct CLI rather than the OIDC/GitHub # Actions provenance pipeline used by earlier versions. The compromised versions were # 0.30.4 and 1.14.1 (supply chain attack on 2026-03-31, attributed to Sapphire Sleet). # See: https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/ - "axios@0.30.3" # chokidar@4.0.3 (published 2024-12-18, by paulmillr) — pipeline regression. # Prior trusted: chokidar@4.0.1 (provenance, 2024-09-22, by paulmillr). # Same publisher (sole maintainer); provenance attestation was dropped after 4.0.1. # Pulled in transitively via mocha@11 (chokidar ^4.0.1) and sass@1 (chokidar ^4.0.0). # chokidar@5.0.0 has restored provenance but no upstream consumer pins ^5 yet. - "chokidar@4.0.3" # detect-port@1.6.1 (published 2024-05-08, by fengmk2) — pipeline regression. # Prior trusted: detect-port@1.6.0 (provenance, 2024-05-08, by fengmk2). # Same publisher; provenance attestation was lost on the immediately-following patch release. # Pulled in transitively under @fluidframework/azure-local-service. - "detect-port@1.6.1" # semver@5.7.2 (published 2023-07-10, by lukekarrys) — legacy maintenance line. # Prior trusted: semver@7.5.4 (provenance, 2023-07-07, by npm-cli-ops). # Different publisher account because the 5.x and 6.x maintenance lines are # hand-published by lukekarrys (a long-time npm/node-semver maintainer), while the # current 7.x line publishes through the npm-cli OIDC/Actions pipeline. The 5.x/6.x # lines will not be retroactively re-published with provenance. Pulled in by widely- # used legacy tooling that pins ^5 / ^6. # Note: multiple versions of the same package must be combined with "||" — pnpm's # trust-policy evaluator returns on the first name match and does not aggregate # subsequent entries for the same package. - "semver@5.7.2||6.3.1" # undici-types@6.21.0 (published 2024-11-13, by matteo.collina) — pipeline regression. # Prior trusted: undici-types@6.19.2 (provenance, 2024-06-18, by matteo.collina). # Same publisher (undici project lead). Type-only package (.d.ts shipped from undici # repo); provenance attestation was lost on a subsequent 6.x release. - "undici-types@6.21.0" # Disable pnpm update notifications since we use corepack to install package managers updateNotifier: false # pnpm 11 enabled this check by default, which runs a frozen-lockfile install before every `pnpm run