From ba74622b64edeb1709f5f586e9411c4be99ceae6 Mon Sep 17 00:00:00 2001
From: Justin Naismith <justin.naismith@airtasker.com>
Date: Mon, 2 Mar 2026 16:11:44 +1100
Subject: [PATCH] feat(ACQ-6393): increase pnpm security settings for
 @airtasker/react-backbone-connect

Apply supply chain security configuration per JS Package Manager guide:
- strictDepBuilds: fail if unlisted packages attempt to run scripts
- blockExoticSubdeps: block non-registry dependency sources
- normalise minimumReleaseAgeExclude to inline string format

Note: allowBuilds entries to be populated separately.

Reference: https://airtasker.atlassian.net/wiki/spaces/ENG/pages/4767645728/JavaScript+Package+Manager+Configuration

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 pnpm-workspace.yaml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 2c25c6b..fcafe61 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -3,6 +3,11 @@ ignoredBuiltDependencies:
   - core-js-pure
   - fsevents
 
+# Supply Chain Security Configuration
+# Documentation: https://airtasker.atlassian.net/wiki/spaces/ENG/pages/4767645728/JavaScript+Package+Manager+Configuration
+# Reference: https://pnpm.io/supply-chain-security
+
+strictDepBuilds: true
+blockExoticSubdeps: true
 minimumReleaseAge: 10080
-minimumReleaseAgeExclude:
-  - '@airtasker/*'
+minimumReleaseAgeExclude: '@airtasker/*'