stackone-ai-node/pnpm-workspace.yaml at main · StackOneHQ/stackone-ai-node · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
packages:
  - .
  - examples

catalogMode: strict

catalogs:
  dev:
    '@ai-sdk/openai': ^3.0.2
    ai: ^6.0.7
    '@fast-check/vitest': ^0.2.0
    '@clack/prompts': ^0.11.0
    '@hono/mcp': ^0.1.4
    '@types/node': ^22.13.5
    '@vitest/coverage-v8': ^4.0.15
    hono: ^4.9.10
    knip: ^5.72.0
    msw: ^2.10.4
    publint: ^0.3.12
    tsdown: ^0.17.2
    type-fest: ^4.41.0
    unplugin-unused: ^0.5.4
    vitest: ^4.0.15
    zod: ^4.3.0
  examples:
    '@anthropic-ai/claude-agent-sdk': ^0.2.12
    '@tanstack/ai': ^0.3.0
    '@tanstack/ai-openai': ^0.3.0
  peer:
    '@anthropic-ai/claude-agent-sdk': ^0.2.12
    '@anthropic-ai/sdk': ^0.72.1
    ai: '>=5.0.108 <7.0.0'
    openai: ^6.2.0
    zod: '>=3.25.0 <5'
  prod:
    '@modelcontextprotocol/sdk': ^1.24.3
    '@orama/orama': ^3.1.11
    defu: ^6.1.4

enablePrePostScripts: true

minimumReleaseAge: 1440

minimumReleaseAgeExclude:
  - '@ai-sdk/gateway'
  - '@ai-sdk/openai'
  - '@ai-sdk/provider'
  - '@ai-sdk/provider-utils'
  - '@anthropic-ai/claude-agent-sdk'
  - '@tanstack/ai'
  - '@tanstack/ai-openai'
  - ai

shellEmulator: true

# Security settings (supply chain attack prevention)
# See: https://pnpm.io/settings

# Blocks lifecycle scripts (postinstall, etc.) from running in dependencies by default
# Only packages listed in allowBuilds can run build scripts
# Prevents Shai-Hulud-style worm attacks that exploit automatic script execution
strictDepBuilds: true

# true: allow build scripts, false: block build scripts
allowBuilds:
  esbuild: true
  msw: true

# Blocks dependencies from non-registry sources (Git repos, tarball URLs)
# Prevents PhantomRaven-style attacks that bypass npm scanning
blockExoticSubdeps: true

# Prevents trust level downgrades between package versions
# Blocks installations when publisher credentials downgrade from GitHub OIDC to basic auth
trustPolicy: no-downgrade

trustPolicyExclude:
  - undici-types@6.21.0