# This is the workspace definition for the gitrest release group. See https://pnpm.io/pnpm-workspace_yaml for more # information about the format. # # Guidelines for updating this file: # # 1. Keep the entries alphabetical wherever possible. # 2. DO NOT end a glob with "**". E.g. "packages/**". Doing so can include unexpected packages. This is especially true # of packages for which we build ESM and CJS. Such packages sometimes have package.json files in their source or # output directories during compilation. packages: - "packages/*" # Supply chain security settings - see /DEV.md for documentation minimumReleaseAge: 1440 minimumReleaseAgeExclude: - "@fluidframework/*" # Exclude all @fluidframework scoped packages from the minimumReleaseAge check, because they are published internally and oftentimes we need to update immediately after a previous internal release resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade # List of packages known to be safe but for whatever reason were published at a date after another version of the same # package (including later major versions) which had better provenance information. # ALWAYS REVIEW CAREFULLY BEFORE ADDING SOMETHING TO THIS LIST. trustPolicyExclude: # @octokit/endpoint@9.0.6 (published 2025-02-14, by octokitbot) — pipeline regression. # Prior trusted: @octokit/endpoint@10.1.3 (provenance, 2025-02-13, by octokitbot), with # verified provenance from octokit/endpoint.js .github/workflows/release.yml @ refs/heads/main. # Same publisher account (octokitbot); the v9 maintenance branch publish bypassed release.yml. # Pulled in transitively via danger@13 → @octokit/rest@20 → @octokit/core@5 → @octokit/request@8. # No reachable direct-dep bump escapes this without overriding @octokit/rest itself. - "@octokit/endpoint@9.0.6" # semver@5.7.2 (published 2023-07-10, by lukekarrys) — legacy maintenance line. # Prior trusted: semver@7.5.4 (provenance, 2023-07-07, by npm-cli-ops). # Different publisher account because the 5.x and 6.x maintenance lines are # hand-published by lukekarrys (a long-time npm/node-semver maintainer), while the # current 7.x line publishes through the npm-cli OIDC/Actions pipeline. The 5.x/6.x # lines will not be retroactively re-published with provenance. Pulled in by widely- # used legacy tooling that pins ^5 / ^6. # Note: multiple versions of the same package must be combined with "||" — pnpm's # trust-policy evaluator returns on the first name match and does not aggregate # subsequent entries for the same package. - "semver@5.7.2||6.3.1" # undici-types@6.21.0 (published 2024-11-13, by matteo.collina) — pipeline regression. # Prior trusted: undici-types@6.19.2 (provenance, 2024-06-18, by matteo.collina). # Same publisher (undici project lead). Type-only package (.d.ts shipped from undici # repo); provenance attestation was lost on a subsequent 6.x release. - "undici-types@6.21.0" strictDepBuilds: true engineStrict: true frozenLockfile: true linkWorkspacePackages: true strictPeerDependencies: true updateNotifier: false # pnpm 11 enabled this check by default, which runs a frozen-lockfile install before every `pnpm run