public-hoist-pattern[]=@temporalio/*
public-hoist-pattern[]=@grpc/*
public-hoist-pattern[]=protobufjs
public-hoist-pattern[]=@protobufjs/*
public-hoist-pattern[]=long

# Refuse to install npm versions published less than 7 days ago.
# Buys time for the registry / community to yank malicious releases
# before they land in our lockfile (e.g. GHSA-g7cv-rxg3-hmpx, May 2026).
minimum-release-age=10080

# Pin exact versions on `pnpm add` — no ^ / ~ ranges. The lockfile already
# resolves to exact versions, but pinning the manifest too keeps the source
# of truth honest and prevents accidental drift on a future `pnpm update`.
save-exact=true

# Disable npm `pre*` / `post*` lifecycle scripts (defense in depth on top of
# pnpm-workspace.yaml `onlyBuiltDependencies` allowlist). Mini Shai-Hulud
# used a `prepare` hook on a malicious git-ref optionalDependency.
enable-pre-post-scripts=false
