diff --git a/common/changes/@rushstack/localization-plugin/move-terminal_2022-01-20-19-34.json b/common/changes/@rushstack/localization-plugin/move-terminal_2022-01-20-19-34.json deleted file mode 100644 index c44c0f04e57..00000000000 --- a/common/changes/@rushstack/localization-plugin/move-terminal_2022-01-20-19-34.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "changes": [ - { - "packageName": "@rushstack/localization-plugin", - "comment": "", - "type": "none" - } - ], - "packageName": "@rushstack/localization-plugin" -} \ No newline at end of file diff --git a/common/changes/@rushstack/tls-sync-vscode-shared/bmiddha-tls-sync_2025-06-27-01-35.json b/common/changes/@rushstack/tls-sync-vscode-shared/bmiddha-tls-sync_2025-06-27-01-35.json deleted file mode 100644 index 0fd5df88305..00000000000 --- a/common/changes/@rushstack/tls-sync-vscode-shared/bmiddha-tls-sync_2025-06-27-01-35.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "changes": [ - { - "packageName": "@rushstack/tls-sync-vscode-shared", - "comment": "Add shared utilities for the Workspace and UI TLS Sync VS Code extensions", - "type": "minor" - } - ], - "packageName": "@rushstack/tls-sync-vscode-shared" -} \ No newline at end of file diff --git a/common/changes/tls-sync-vscode-extension-pack/bmiddha-tls-sync_2025-07-01-00-21.json b/common/changes/tls-sync-vscode-extension-pack/bmiddha-tls-sync_2025-07-01-00-21.json deleted file mode 100644 index ea49adc9636..00000000000 --- a/common/changes/tls-sync-vscode-extension-pack/bmiddha-tls-sync_2025-07-01-00-21.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "changes": [ - { - "packageName": "tls-sync-vscode-extension-pack", - "comment": "Add VSCode Extension to sync TLS certificates when using VS Code remoting.", - "type": "minor" - } - ], - "packageName": "tls-sync-vscode-extension-pack" -} \ No newline at end of file diff --git a/common/config/rush/experiments.json b/common/config/rush/experiments.json index 7dcb8ecd683..f3455db6aba 100644 --- a/common/config/rush/experiments.json +++ b/common/config/rush/experiments.json @@ -124,5 +124,12 @@ * macOS to store extended attributes on filesystems that don't support them, and should generally not * be included in the shared build cache. */ - "omitAppleDoubleFilesFromBuildCache": true + "omitAppleDoubleFilesFromBuildCache": true, + + /** + * If true, "rush change --verify" will report errors if change files reference projects that do not + * exist in the Rush configuration, or if change files target a project that belongs to a lockstepped + * version policy but is not the policy's main project. + */ + "strictChangefileValidation": true } diff --git a/common/config/rush/pnpm-config.json b/common/config/rush/pnpm-config.json index 0700850dbfc..c55351814e3 100644 --- a/common/config/rush/pnpm-config.json +++ b/common/config/rush/pnpm-config.json @@ -99,6 +99,58 @@ */ // "minimumReleaseAgeExclude": ["@myorg/*"], + /** + * The trust policy controls whether pnpm should block installation of package versions where + * the trust level has decreased (e.g., a package previously published with provenance is now + * published without it). Setting this to `"no-downgrade"` enables the protection. + * + * (SUPPORTED ONLY IN PNPM 10.21.0 AND NEWER) + * + * PNPM documentation: https://pnpm.io/settings#trustpolicy + * + * Possible values are: `off` and `no-downgrade`. + * The default is `off`. + */ + // "trustPolicy": "no-downgrade", + + /** + * An array of package names or patterns to exclude from the trust policy check. + * These packages will be allowed to install even if their trust level has decreased. + * Patterns are supported using glob syntax (e.g., "@myorg/*" to exclude all packages + * from an organization). + * + * For example: + * + * "trustPolicyExclude": ["@babel/core@7.28.5", "chokidar@4.0.3", "@myorg/*"] + * + * (SUPPORTED ONLY IN PNPM 10.22.0 AND NEWER) + * + * PNPM documentation: https://pnpm.io/settings#trustpolicyexclude + * + * The default value is []. + */ + // "trustPolicyExclude": ["@myorg/*"], + + /** + * The number of minutes after which pnpm will ignore trust level downgrades. Packages + * published longer ago than this threshold will not be blocked even if their trust level + * has decreased. This is useful when enabling strict trust policies, as it allows older versions + * of packages (which may lack a process for publishing with signatures or provenance) to be + * installed without manual exclusion, assuming they are safe due to their age. + * + * For example, the following setting ignores trust level changes for packages published + * more than 14 days ago: + * + * "trustPolicyIgnoreAfterMinutes": 20160 + * + * (SUPPORTED ONLY IN PNPM 10.27.0 AND NEWER) + * + * PNPM documentation: https://pnpm.io/settings#trustpolicyignoreafter + * + * The default value is undefined (no exclusion). + */ + // "trustPolicyIgnoreAfterMinutes": 20160, + /** * If true, then Rush will add the `--strict-peer-dependencies` command-line parameter when * invoking PNPM. This causes `rush update` to fail if there are unsatisfied peer dependencies, @@ -292,6 +344,19 @@ * PNPM documentation: https://pnpm.io/package_json#pnpmpackageextensions */ "globalPackageExtensions": { + // "fork-ts-checker-webpack-plugin": { + // "dependencies": { + // "@babel/core": "1" + // }, + // "peerDependencies": { + // "eslint": ">= 6" + // }, + // "peerDependenciesMeta": { + // "eslint": { + // "optional": true + // } + // } + // } "@emotion/core": { "peerDependencies": { "@types/react": ">=16"