chore(repo): Harden pnpm-workspace settings

[dominic-clerk]

Description

Supply chain hardening tips from https://pnpm.io/supply-chain-security

blockExoticSubdeps: transitive dependencies must be resolved from a trusted source, such as the configured registry, local file paths, workspace links, or trusted GitHub repositories (node, bun, deno).

trustPolicy: pnpm will fail if a package's trust level has decreased compared to previous releases. For example, if a package was previously published by a trusted publisher but now only has provenance or no trust evidence, installation will fail. This helps prevent installing potentially compromised versions.

The challenge with trustPolicy is that when a version 1.x is developed in parallel with a 2.x but only 2.x has provenance / trusted publishing any updates in the 1.x line will be flagged as a trust downgrade before a "previous" (chronologically) package from the 2.x line was more trustworthy. This explains the list of exceptions in the pnpm-workspace.yaml file.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other: pnpm config

Summary by CodeRabbit

• Chores
  • Updated workspace-level dependency resolution configuration.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Apr 2, 2026 9:47am

[changeset-bot]

⚠️ No Changeset found

Latest commit: c5b294f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates pnpm-workspace.yaml: it removes a blank line after minimumReleaseAge: 2880, adds trustPolicy: no-downgrade, adds a trustPolicyExclude list with specific package/version ranges, and sets blockExoticSubdeps: true. No other configuration keys (packages, catalogs, minimumReleaseAgeExclude) or public code entities were changed. Lines changed: +26/-1.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: hardening pnpm-workspace configuration settings for supply-chain security by adding trust policies and blocking exotic subdependencies.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8226

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8226

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8226

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8226

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8226

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8226

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8226

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8226

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8226

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8226

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8226

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8226

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8226

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8226

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8226

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8226

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8226

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8226

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8226

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8226

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8226

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8226

commit: c5b294f