From 3d40607f0dd6b0557f3276be4fc40674e44823ba Mon Sep 17 00:00:00 2001 From: Ian Clanton-Thuon Date: Fri, 17 Apr 2026 16:58:42 -0700 Subject: [PATCH 1/3] Enable strictChangefileValidation. --- common/config/rush/experiments.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/common/config/rush/experiments.json b/common/config/rush/experiments.json index 7dcb8ecd683..f3455db6aba 100644 --- a/common/config/rush/experiments.json +++ b/common/config/rush/experiments.json @@ -124,5 +124,12 @@ * macOS to store extended attributes on filesystems that don't support them, and should generally not * be included in the shared build cache. */ - "omitAppleDoubleFilesFromBuildCache": true + "omitAppleDoubleFilesFromBuildCache": true, + + /** + * If true, "rush change --verify" will report errors if change files reference projects that do not + * exist in the Rush configuration, or if change files target a project that belongs to a lockstepped + * version policy but is not the policy's main project. + */ + "strictChangefileValidation": true } From bd27c002c10555e1cc811b6da1cf8ddbd733f5d1 Mon Sep 17 00:00:00 2001 From: Ian Clanton-Thuon Date: Fri, 17 Apr 2026 16:59:16 -0700 Subject: [PATCH 2/3] Update pnpm-config.json from the template. --- common/config/rush/pnpm-config.json | 65 +++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/common/config/rush/pnpm-config.json b/common/config/rush/pnpm-config.json index 0700850dbfc..c55351814e3 100644 --- a/common/config/rush/pnpm-config.json +++ b/common/config/rush/pnpm-config.json @@ -99,6 +99,58 @@ */ // "minimumReleaseAgeExclude": ["@myorg/*"], + /** + * The trust policy controls whether pnpm should block installation of package versions where + * the trust level has decreased (e.g., a package previously published with provenance is now + * published without it). Setting this to `"no-downgrade"` enables the protection. + * + * (SUPPORTED ONLY IN PNPM 10.21.0 AND NEWER) + * + * PNPM documentation: https://pnpm.io/settings#trustpolicy + * + * Possible values are: `off` and `no-downgrade`. + * The default is `off`. + */ + // "trustPolicy": "no-downgrade", + + /** + * An array of package names or patterns to exclude from the trust policy check. + * These packages will be allowed to install even if their trust level has decreased. + * Patterns are supported using glob syntax (e.g., "@myorg/*" to exclude all packages + * from an organization). + * + * For example: + * + * "trustPolicyExclude": ["@babel/core@7.28.5", "chokidar@4.0.3", "@myorg/*"] + * + * (SUPPORTED ONLY IN PNPM 10.22.0 AND NEWER) + * + * PNPM documentation: https://pnpm.io/settings#trustpolicyexclude + * + * The default value is []. + */ + // "trustPolicyExclude": ["@myorg/*"], + + /** + * The number of minutes after which pnpm will ignore trust level downgrades. Packages + * published longer ago than this threshold will not be blocked even if their trust level + * has decreased. This is useful when enabling strict trust policies, as it allows older versions + * of packages (which may lack a process for publishing with signatures or provenance) to be + * installed without manual exclusion, assuming they are safe due to their age. + * + * For example, the following setting ignores trust level changes for packages published + * more than 14 days ago: + * + * "trustPolicyIgnoreAfterMinutes": 20160 + * + * (SUPPORTED ONLY IN PNPM 10.27.0 AND NEWER) + * + * PNPM documentation: https://pnpm.io/settings#trustpolicyignoreafter + * + * The default value is undefined (no exclusion). + */ + // "trustPolicyIgnoreAfterMinutes": 20160, + /** * If true, then Rush will add the `--strict-peer-dependencies` command-line parameter when * invoking PNPM. This causes `rush update` to fail if there are unsatisfied peer dependencies, @@ -292,6 +344,19 @@ * PNPM documentation: https://pnpm.io/package_json#pnpmpackageextensions */ "globalPackageExtensions": { + // "fork-ts-checker-webpack-plugin": { + // "dependencies": { + // "@babel/core": "1" + // }, + // "peerDependencies": { + // "eslint": ">= 6" + // }, + // "peerDependenciesMeta": { + // "eslint": { + // "optional": true + // } + // } + // } "@emotion/core": { "peerDependencies": { "@types/react": ">=16" From 4460b7b9090a1d835493b3f829459749f637ec11 Mon Sep 17 00:00:00 2001 From: Ian Clanton-Thuon Date: Fri, 17 Apr 2026 16:59:27 -0700 Subject: [PATCH 3/3] Delete chnaagefiles for non-published packages. --- .../move-terminal_2022-01-20-19-34.json | 10 ---------- .../bmiddha-tls-sync_2025-06-27-01-35.json | 10 ---------- .../bmiddha-tls-sync_2025-07-01-00-21.json | 10 ---------- 3 files changed, 30 deletions(-) delete mode 100644 common/changes/@rushstack/localization-plugin/move-terminal_2022-01-20-19-34.json delete mode 100644 common/changes/@rushstack/tls-sync-vscode-shared/bmiddha-tls-sync_2025-06-27-01-35.json delete mode 100644 common/changes/tls-sync-vscode-extension-pack/bmiddha-tls-sync_2025-07-01-00-21.json diff --git a/common/changes/@rushstack/localization-plugin/move-terminal_2022-01-20-19-34.json b/common/changes/@rushstack/localization-plugin/move-terminal_2022-01-20-19-34.json deleted file mode 100644 index c44c0f04e57..00000000000 --- a/common/changes/@rushstack/localization-plugin/move-terminal_2022-01-20-19-34.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "changes": [ - { - "packageName": "@rushstack/localization-plugin", - "comment": "", - "type": "none" - } - ], - "packageName": "@rushstack/localization-plugin" -} \ No newline at end of file diff --git a/common/changes/@rushstack/tls-sync-vscode-shared/bmiddha-tls-sync_2025-06-27-01-35.json b/common/changes/@rushstack/tls-sync-vscode-shared/bmiddha-tls-sync_2025-06-27-01-35.json deleted file mode 100644 index 0fd5df88305..00000000000 --- a/common/changes/@rushstack/tls-sync-vscode-shared/bmiddha-tls-sync_2025-06-27-01-35.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "changes": [ - { - "packageName": "@rushstack/tls-sync-vscode-shared", - "comment": "Add shared utilities for the Workspace and UI TLS Sync VS Code extensions", - "type": "minor" - } - ], - "packageName": "@rushstack/tls-sync-vscode-shared" -} \ No newline at end of file diff --git a/common/changes/tls-sync-vscode-extension-pack/bmiddha-tls-sync_2025-07-01-00-21.json b/common/changes/tls-sync-vscode-extension-pack/bmiddha-tls-sync_2025-07-01-00-21.json deleted file mode 100644 index ea49adc9636..00000000000 --- a/common/changes/tls-sync-vscode-extension-pack/bmiddha-tls-sync_2025-07-01-00-21.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "changes": [ - { - "packageName": "tls-sync-vscode-extension-pack", - "comment": "Add VSCode Extension to sync TLS certificates when using VS Code remoting.", - "type": "minor" - } - ], - "packageName": "tls-sync-vscode-extension-pack" -} \ No newline at end of file