From d9a86bd690cea677d8e02e561071fab2c0badf3e Mon Sep 17 00:00:00 2001
From: Justin Naismith <justin.naismith@airtasker.com>
Date: Mon, 2 Mar 2026 16:09:27 +1100
Subject: [PATCH] feat(ACQ-6387): increase pnpm security settings for
 @airtasker/proxay

Apply supply chain security configuration per JS Package Manager guide:
- strictDepBuilds: fail if unlisted packages attempt to run scripts
- blockExoticSubdeps: block non-registry dependency sources
- normalise minimumReleaseAgeExclude to inline string format

Note: allowBuilds entries to be populated separately.

Reference: https://airtasker.atlassian.net/wiki/spaces/ENG/pages/4767645728/JavaScript+Package+Manager+Configuration

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 pnpm-workspace.yaml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 82678bd..3d12716 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -1,5 +1,8 @@
-# Security: 7-day delay before using newly published packages (10,080 minutes)
+# Supply Chain Security Configuration
+# Documentation: https://airtasker.atlassian.net/wiki/spaces/ENG/pages/4767645728/JavaScript+Package+Manager+Configuration
+# Reference: https://pnpm.io/supply-chain-security
+
+strictDepBuilds: true
+blockExoticSubdeps: true
 minimumReleaseAge: 10080
-# Exclude Airtasker packages from release age delay
-minimumReleaseAgeExclude:
-  - "@airtasker/*"
+minimumReleaseAgeExclude: '@airtasker/*'