From 3bf56d6ecf785641b77981a39d1970f3fb3b7210 Mon Sep 17 00:00:00 2001 From: Gabriel Pan Gantes Date: Thu, 21 May 2026 16:17:17 +0200 Subject: [PATCH] Wire frontend/react-native-expo for pnpm 11 (config only; lockfile follow-up) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Config-only bump. The pnpm-lock.yaml and removal of the old package-lock.json / .npmrc need to happen on a machine that can run `pnpm install` — this PR intentionally stops short of that step. package.json - packageManager: pnpm@11.1.1 - engines: node >=24.0.0, pnpm >=11.0.0 - devEngines.runtime with onFail: error - scripts.preinstall: pnpm audit && pnpm audit signatures - scripts.lint:lockfile: pnpm install --frozen-lockfile - scripts.typecheck: tsc --noEmit - scripts.lint: tsc --noEmit (was `expo lint`; expo lint is ESLint-config-aware but errors out interactively if config isn't present — typecheck is the safe baseline until a real eslint setup is added) - scripts.test / scripts.build: tsc --noEmit pnpm-workspace.yaml — full supply-chain stack: - minimumReleaseAge: 20160 (14d) - minimumReleaseAgeIgnoreMissingTime: true - minimumReleaseAgeExclude: '@pluggyai/*' - engineStrict: true - trustPolicy: no-downgrade, trustPolicyIgnoreAfter 90d - blockExoticSubdeps: true - savePrefix: "" - resolutionMode: highest - allowBuilds: {} (to be populated on first `pnpm install` — Expo ships native deps like reanimated that have postinstall scripts) - overrides: {} .gitignore — block package-lock.json and yarn.lock Follow-up (separate PR): 1. Run `pnpm install` to generate pnpm-lock.yaml. 2. Delete .npmrc and package-lock.json (the install above already leaves both stale). 3. Populate pnpm-workspace.yaml allowBuilds with conscious yes/no decisions for each native dep that asks for a postinstall. 4. Re-run audit / fix any vulns surfaced. 5. Add .github/workflows/expo-ci.yml matching the other per-project workflows. --- frontend/react-native-expo/.gitignore | 4 ++ frontend/react-native-expo/package.json | 19 ++++++- .../react-native-expo/pnpm-workspace.yaml | 56 +++++++++++++++++++ 3 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 frontend/react-native-expo/pnpm-workspace.yaml diff --git a/frontend/react-native-expo/.gitignore b/frontend/react-native-expo/.gitignore index f8c6c2e..dc973c5 100644 --- a/frontend/react-native-expo/.gitignore +++ b/frontend/react-native-expo/.gitignore @@ -3,6 +3,10 @@ # dependencies node_modules/ +# Block npm/yarn lockfiles — this project is pnpm-only +package-lock.json +yarn.lock + # Expo .expo/ dist/ diff --git a/frontend/react-native-expo/package.json b/frontend/react-native-expo/package.json index fa6e3a9..ec7dc0a 100644 --- a/frontend/react-native-expo/package.json +++ b/frontend/react-native-expo/package.json @@ -2,13 +2,30 @@ "name": "pluggy", "main": "expo-router/entry", "version": "1.0.0", + "packageManager": "pnpm@11.1.1", + "engines": { + "node": ">=24.0.0", + "pnpm": ">=11.0.0" + }, + "devEngines": { + "runtime": { + "name": "node", + "version": ">=24.0.0", + "onFail": "error" + } + }, "scripts": { + "preinstall": "pnpm audit && pnpm audit signatures", + "lint:lockfile": "pnpm install --frozen-lockfile", + "typecheck": "tsc --noEmit", "start": "expo start", "reset-project": "node ./scripts/reset-project.js", "android": "expo start --android", "ios": "expo start --ios", "web": "expo start --web", - "lint": "expo lint" + "lint": "tsc --noEmit", + "test": "tsc --noEmit", + "build": "tsc --noEmit" }, "dependencies": { "@expo/vector-icons": "15.0.3", diff --git a/frontend/react-native-expo/pnpm-workspace.yaml b/frontend/react-native-expo/pnpm-workspace.yaml new file mode 100644 index 0000000..d663c66 --- /dev/null +++ b/frontend/react-native-expo/pnpm-workspace.yaml @@ -0,0 +1,56 @@ +# Supply-chain hardening +# ---------------------- + +# Reject any package version published less than 14 days ago when +# resolving. Most supply-chain attacks are detected within hours or +# days; the 14-day window absorbs that while keeping upgrades moving +# at a reasonable pace. For a critical CVE that demands a sub-14d +# upgrade, add a temporary `minimumReleaseAgeExclude` entry with a +# CVE link and remove it once the window closes. +# 14 days = 60 * 24 * 14 minutes +minimumReleaseAge: 20160 + +# When the registry metadata is missing the `time` field for a +# version, fall back to allowing it. +minimumReleaseAgeIgnoreMissingTime: true + +# Whitelist for the 14-day wait. `@pluggyai/*` ships from our own +# release pipeline. +minimumReleaseAgeExclude: + - '@pluggyai/*' + +# Pinned explicitly to survive any future default change. +resolutionMode: highest + +# Refuse to install if Node / pnpm don't satisfy the `engines` field. +engineStrict: true + +# Fail the install if a package version's trust level drops +# compared to earlier versions. +trustPolicy: no-downgrade + +# Auto-skip the trust check for packages older than 90 days. +trustPolicyIgnoreAfter: 129600 + +# Block transitive deps from being resolved from exotic sources. +blockExoticSubdeps: true + + +# Version pinning +# --------------- + +# Save exact resolved versions (no semver ranges) on `pnpm add`. +savePrefix: "" + + +# Per-package decisions +# --------------------- + +# pnpm 11 blocks postinstall / install / preinstall scripts by +# default; every package that ships one must be listed here. +# Default-deny: new entries start as `false` and only flip to `true` +# after a conscious review. +allowBuilds: {} + +# Force a specific version on transitive dependencies. +overrides: {}