security: stricter pnpm config blockExoticSubdeps & trustPolicy

[Sheraff]

Summary

• Enable pnpm's no-downgrade trust policy.
• Block exotic transitive dependencies with blockExoticSubdeps.
• Remove redundant provenance-action downgrade CI check.

Validation

• pnpm install --frozen-lockfile

Summary by CodeRabbit

• Chores
  • Streamlined CI/CD workflow by removing a provenance verification step
  • Enhanced dependency management security with updated workspace configuration settings

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 43ef8ce1-49bc-49f8-9a95-1561e7d0c904

📥 Commits

Reviewing files that changed from the base of the PR and between 2c5d32f and 4a793aa.

📒 Files selected for processing (2)

• .github/workflows/pr.yml
• pnpm-workspace.yaml

💤 Files with no reviewable changes (1)

• .github/workflows/pr.yml

---

📝 Walkthrough

Walkthrough

This PR removes the provenance CI job from the PR workflow and adds workspace-level dependency trust policies to pnpm-workspace.yaml, configuring the workspace to block exotic subdependencies and enforce no-downgrade version constraints.

Changes

Dependency Trust Configuration

Layer / File(s)	Summary
Workspace dependency trust settings pnpm-workspace.yaml	Workspace configuration adds blockExoticSubdeps: true and trustPolicy: 'no-downgrade' to enforce dependency version stability.
CI provenance job removal .github/workflows/pr.yml	The provenance job that ran danielroe/provenance-action is removed, eliminating the dedicated workflow-level provenance check.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A hop through config, clean and lean,
Trust policies reign, no downgrades seen,
Workflows now lighter, provenance passed,
Dependencies stable, held firm and fast!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description deviates from the required template. While it includes a summary and validation section, it omits the required checklist items and release impact assessment that are part of the template structure.	Add the complete checklist items (Contributing guide, test:pr) and Release Impact section to align with the repository's pull request description template.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'security: stricter pnpm config blockExoticSubdeps & trustPolicy' clearly and specifically describes the main changes: enabling stricter pnpm configuration with blockExoticSubdeps and trustPolicy settings.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 4a793aa

Command	Status	Duration	Result
nx run-many --targets=build --exclude=examples/**	✅ Succeeded	3s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-19 08:39:52 UTC

[pkg-pr-new]

Open in StackBlitz

@tanstack/ai

npm i https://pkg.pr.new/@tanstack/ai@569

@tanstack/ai-anthropic

npm i https://pkg.pr.new/@tanstack/ai-anthropic@569

@tanstack/ai-client

npm i https://pkg.pr.new/@tanstack/ai-client@569

@tanstack/ai-code-mode

npm i https://pkg.pr.new/@tanstack/ai-code-mode@569

@tanstack/ai-code-mode-skills

npm i https://pkg.pr.new/@tanstack/ai-code-mode-skills@569

@tanstack/ai-devtools-core

npm i https://pkg.pr.new/@tanstack/ai-devtools-core@569

@tanstack/ai-elevenlabs

npm i https://pkg.pr.new/@tanstack/ai-elevenlabs@569

@tanstack/ai-event-client

npm i https://pkg.pr.new/@tanstack/ai-event-client@569

@tanstack/ai-fal

npm i https://pkg.pr.new/@tanstack/ai-fal@569

@tanstack/ai-gemini

npm i https://pkg.pr.new/@tanstack/ai-gemini@569

@tanstack/ai-grok

npm i https://pkg.pr.new/@tanstack/ai-grok@569

@tanstack/ai-groq

npm i https://pkg.pr.new/@tanstack/ai-groq@569

@tanstack/ai-isolate-cloudflare

npm i https://pkg.pr.new/@tanstack/ai-isolate-cloudflare@569

@tanstack/ai-isolate-node

npm i https://pkg.pr.new/@tanstack/ai-isolate-node@569

@tanstack/ai-isolate-quickjs

npm i https://pkg.pr.new/@tanstack/ai-isolate-quickjs@569

@tanstack/ai-ollama

npm i https://pkg.pr.new/@tanstack/ai-ollama@569

@tanstack/ai-openai

npm i https://pkg.pr.new/@tanstack/ai-openai@569

@tanstack/ai-openrouter

npm i https://pkg.pr.new/@tanstack/ai-openrouter@569

@tanstack/ai-preact

npm i https://pkg.pr.new/@tanstack/ai-preact@569

@tanstack/ai-react

npm i https://pkg.pr.new/@tanstack/ai-react@569

@tanstack/ai-react-ui

npm i https://pkg.pr.new/@tanstack/ai-react-ui@569

@tanstack/ai-solid

npm i https://pkg.pr.new/@tanstack/ai-solid@569

@tanstack/ai-solid-ui

npm i https://pkg.pr.new/@tanstack/ai-solid-ui@569

@tanstack/ai-svelte

npm i https://pkg.pr.new/@tanstack/ai-svelte@569

@tanstack/ai-utils

npm i https://pkg.pr.new/@tanstack/ai-utils@569

@tanstack/ai-vue

npm i https://pkg.pr.new/@tanstack/ai-vue@569

@tanstack/ai-vue-ui

npm i https://pkg.pr.new/@tanstack/ai-vue-ui@569

@tanstack/openai-base

npm i https://pkg.pr.new/@tanstack/openai-base@569

@tanstack/preact-ai-devtools

npm i https://pkg.pr.new/@tanstack/preact-ai-devtools@569

@tanstack/react-ai-devtools

npm i https://pkg.pr.new/@tanstack/react-ai-devtools@569

@tanstack/solid-ai-devtools

npm i https://pkg.pr.new/@tanstack/solid-ai-devtools@569

commit: 4a793aa