pnpm-workspace.yaml

# This is the workspace definition for the client release group. See https://pnpm.io/pnpm-workspace_yaml for more
# information about the format.
#
# Guidelines for updating this file:
#
# 1. Keep the entries alphabetical wherever possible.
# 2. Be careful when using globs that end with "**". E.g. "packages/**". Doing so can include unexpected packages. This
#    is especially true of packages for which we build ESM and CJS. Such packages sometimes have package.json files in
#    their source or output directories during compilation.

packages:
  - "azure/packages/**"
  - "examples/**"
  - "experimental/**"
  - "packages/**"
  - "tools/markdown-magic"

  # exclude any package.json files that are inside src or output directories
  - "!**/dist/**"
  - "!**/lib/**"
  - "!**/src/**"

# Supply chain security settings - see /DEV.md for documentation
minimumReleaseAge: 1440
minimumReleaseAgeExclude: [
  # Temporary exceptions go here as needed.
]
resolutionMode: highest
blockExoticSubdeps: true
trustPolicy: no-downgrade
trustPolicyExclude:
  # axios@0.30.3 is the last legitimate 0.30.x release (published 2026-02-18). The trust
  # downgrade fires because 0.30.x was published via direct CLI rather than the OIDC/GitHub
  # Actions provenance pipeline used by earlier versions. The compromised versions were
  # 0.30.4 and 1.14.1 (supply chain attack on 2026-03-31, attributed to Sapphire Sleet).
  # See: https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/
  - "axios@0.30.3"
strictDepBuilds: true

catalogs:
  # Build-tools packages
  buildTools:
    "@fluid-tools/build-cli": ^0.65.0
    "@fluid-tools/version-tools": ^0.65.0
    "@fluidframework/build-tools": ^0.65.0
    "@fluidframework/bundle-size-tools": ^0.65.0
  # eslint and related packages
  eslint:
    "@fluidframework/eslint-config-fluid": "^9.0.0"
    "eslint": "~9.39.1"
    "eslint-config-prettier": "~10.1.8"
  # Type definitions
  types:
    "@types/node": "~22.19.17"