159 lines
6.4 KiB
YAML
159 lines
6.4 KiB
YAML
# ============================================================================
|
|
# SECURITY: Minimum release age for npm packages (supply-chain attack defense)
|
|
# ============================================================================
|
|
#
|
|
# This setting requires that any npm package version must have been published
|
|
# for at least 1 day (1440 minutes) before pnpm will allow installing it.
|
|
# This is a critical defense against supply-chain attacks. In most cases,
|
|
# malicious npm releases are discovered and pulled within hours, so a 1-day
|
|
# delay provides a strong safety buffer.
|
|
#
|
|
# DO NOT DISABLE THIS SETTING. Removing or setting it to 0 is considered
|
|
# extremely dangerous and leaves the entire workspace vulnerable to supply-
|
|
# chain attacks, which have been the #1 vector for npm ecosystem compromises.
|
|
#
|
|
# If you absolutely need to install a package before the 1-day window has
|
|
# passed (e.g. an urgent security bugfix), you can add it to the
|
|
# `minimumReleaseAgeExclude` allowlist below. Only consider doing this for
|
|
# packages released by trusted organizations with an impeccable security
|
|
# posture (e.g. Replit packsges, react from Meta, typescript from Microsoft). Even then,
|
|
# remove the exclusion once the 1-day window has passed.
|
|
#
|
|
# Example:
|
|
# minimumReleaseAgeExclude:
|
|
# - react
|
|
# - typescript
|
|
#
|
|
# ============================================================================
|
|
minimumReleaseAge: 1440
|
|
|
|
minimumReleaseAgeExclude:
|
|
# Exclude @replit scoped packages from the minimum release age check.
|
|
# These are published by Replit and trusted — the supply-chain attack vector
|
|
# this setting guards against does not apply to our own packages.
|
|
- '@replit/*'
|
|
- stripe-replit-sync
|
|
|
|
packages:
|
|
- artifacts/*
|
|
- lib/*
|
|
- lib/integrations/*
|
|
- scripts
|
|
|
|
catalog:
|
|
'@replit/vite-plugin-cartographer': ^0.5.1
|
|
'@replit/vite-plugin-dev-banner': ^0.1.1
|
|
'@replit/vite-plugin-runtime-error-modal': ^0.0.6
|
|
'@tailwindcss/vite': ^4.1.14
|
|
'@tanstack/react-query': ^5.90.21
|
|
'@types/node': ^25.3.3
|
|
'@types/react': ^19.2.0
|
|
'@types/react-dom': ^19.2.0
|
|
'@vitejs/plugin-react': ^5.0.4
|
|
class-variance-authority: ^0.7.1
|
|
clsx: ^2.1.1
|
|
drizzle-orm: ^0.45.1
|
|
framer-motion: ^12.23.24
|
|
lucide-react: ^0.545.0
|
|
# Must be this exact version because expo requires it
|
|
react: 19.1.0
|
|
# Must be this exact version because expo requires it
|
|
react-dom: 19.1.0
|
|
tailwind-merge: ^3.3.1
|
|
tailwindcss: ^4.1.14
|
|
tsx: ^4.21.0
|
|
vite: ^7.3.0
|
|
zod: ^3.25.76
|
|
|
|
autoInstallPeers: false
|
|
|
|
onlyBuiltDependencies:
|
|
- '@swc/core'
|
|
- esbuild
|
|
- msw
|
|
- unrs-resolver
|
|
|
|
overrides:
|
|
# replit uses linux-x64 only, we can exclude all other platforms
|
|
"esbuild>@esbuild/darwin-arm64": "-"
|
|
"esbuild>@esbuild/darwin-x64": "-"
|
|
"esbuild>@esbuild/freebsd-arm64": "-"
|
|
"esbuild>@esbuild/freebsd-x64": "-"
|
|
"esbuild>@esbuild/linux-arm": "-"
|
|
"esbuild>@esbuild/linux-arm64": "-"
|
|
"esbuild>@esbuild/linux-ia32": "-"
|
|
"esbuild>@esbuild/linux-loong64": "-"
|
|
"esbuild>@esbuild/linux-mips64el": "-"
|
|
"esbuild>@esbuild/linux-ppc64": "-"
|
|
"esbuild>@esbuild/linux-riscv64": "-"
|
|
"esbuild>@esbuild/linux-s390x": "-"
|
|
"esbuild>@esbuild/netbsd-arm64": "-"
|
|
"esbuild>@esbuild/netbsd-x64": "-"
|
|
"esbuild>@esbuild/openbsd-arm64": "-"
|
|
"esbuild>@esbuild/openbsd-x64": "-"
|
|
"esbuild>@esbuild/sunos-x64": "-"
|
|
"esbuild>@esbuild/win32-arm64": "-"
|
|
"esbuild>@esbuild/win32-ia32": "-"
|
|
"esbuild>@esbuild/win32-x64": "-"
|
|
"esbuild>@esbuild/aix-ppc64": '-'
|
|
"esbuild>@esbuild/android-arm": '-'
|
|
"esbuild>@esbuild/android-arm64": '-'
|
|
"esbuild>@esbuild/android-x64": '-'
|
|
"esbuild>@esbuild/openharmony-arm64": '-'
|
|
"lightningcss>lightningcss-android-arm64": "-"
|
|
"lightningcss>lightningcss-darwin-arm64": "-"
|
|
"lightningcss>lightningcss-darwin-x64": "-"
|
|
"lightningcss>lightningcss-freebsd-x64": "-"
|
|
"lightningcss>lightningcss-linux-arm-gnueabihf": "-"
|
|
"lightningcss>lightningcss-linux-arm64-gnu": "-"
|
|
"lightningcss>lightningcss-linux-arm64-musl": "-"
|
|
"lightningcss>lightningcss-linux-x64-musl": "-"
|
|
"lightningcss>lightningcss-win32-arm64-msvc": "-"
|
|
"lightningcss>lightningcss-win32-x64-msvc": "-"
|
|
"@tailwindcss/oxide>@tailwindcss/oxide-android-arm64": "-"
|
|
"@tailwindcss/oxide>@tailwindcss/oxide-darwin-arm64": "-"
|
|
"@tailwindcss/oxide>@tailwindcss/oxide-darwin-x64": "-"
|
|
"@tailwindcss/oxide>@tailwindcss/oxide-freebsd-x64": "-"
|
|
"@tailwindcss/oxide>@tailwindcss/oxide-linux-arm-gnueabihf": "-"
|
|
"@tailwindcss/oxide>@tailwindcss/oxide-linux-arm64-gnu": "-"
|
|
"@tailwindcss/oxide>@tailwindcss/oxide-linux-arm64-musl": "-"
|
|
"@tailwindcss/oxide>@tailwindcss/oxide-win32-arm64-msvc": "-"
|
|
"@tailwindcss/oxide>@tailwindcss/oxide-win32-x64-msvc": "-"
|
|
"@tailwindcss/oxide>@tailwindcss/oxide-linux-x64-musl": "-"
|
|
"rollup>@rollup/rollup-android-arm-eabi": "-"
|
|
"rollup>@rollup/rollup-android-arm64": "-"
|
|
"rollup>@rollup/rollup-darwin-arm64": "-"
|
|
"rollup>@rollup/rollup-darwin-x64": "-"
|
|
"rollup>@rollup/rollup-freebsd-arm64": "-"
|
|
"rollup>@rollup/rollup-freebsd-x64": "-"
|
|
"rollup>@rollup/rollup-linux-arm-gnueabihf": "-"
|
|
"rollup>@rollup/rollup-linux-arm-musleabihf": "-"
|
|
"rollup>@rollup/rollup-linux-arm64-gnu": "-"
|
|
"rollup>@rollup/rollup-linux-arm64-musl": "-"
|
|
"rollup>@rollup/rollup-linux-loong64-gnu": "-"
|
|
"rollup>@rollup/rollup-linux-loong64-musl": "-"
|
|
"rollup>@rollup/rollup-linux-ppc64-gnu": "-"
|
|
"rollup>@rollup/rollup-linux-ppc64-musl": "-"
|
|
"rollup>@rollup/rollup-linux-riscv64-gnu": "-"
|
|
"rollup>@rollup/rollup-linux-riscv64-musl": "-"
|
|
"rollup>@rollup/rollup-linux-s390x-gnu": "-"
|
|
"rollup>@rollup/rollup-linux-x64-musl": "-"
|
|
"rollup>@rollup/rollup-openbsd-x64": "-"
|
|
"rollup>@rollup/rollup-openharmony-arm64": "-"
|
|
"rollup>@rollup/rollup-win32-arm64-msvc": "-"
|
|
"rollup>@rollup/rollup-win32-ia32-msvc": "-"
|
|
"rollup>@rollup/rollup-win32-x64-gnu": "-"
|
|
"rollup>@rollup/rollup-win32-x64-msvc": "-"
|
|
"@expo/ngrok-bin>@expo/ngrok-bin-darwin-arm64": "-"
|
|
"@expo/ngrok-bin>@expo/ngrok-bin-darwin-x64": "-"
|
|
"@expo/ngrok-bin>@expo/ngrok-bin-freebsd-ia32": "-"
|
|
"@expo/ngrok-bin>@expo/ngrok-bin-freebsd-x64": "-"
|
|
"@expo/ngrok-bin>@expo/ngrok-bin-linux-arm64": "-"
|
|
"@expo/ngrok-bin>@expo/ngrok-bin-linux-arm": "-"
|
|
"@expo/ngrok-bin>@expo/ngrok-bin-linux-ia32": "-"
|
|
"@expo/ngrok-bin>@expo/ngrok-bin-sunos-x64": "-"
|
|
"@expo/ngrok-bin>@expo/ngrok-bin-win32-ia32": "-"
|
|
"@expo/ngrok-bin>@expo/ngrok-bin-win32-x64": "-"
|
|
# drizzle-kit uses esbuild internally on an older version that's vulnerable, this overrides it
|
|
"@esbuild-kit/esm-loader": "npm:tsx@^4.21.0"
|
|
esbuild: "0.27.3" |