From 6bb65ee7e10da6afae82b2e2df6a8db101d76af3 Mon Sep 17 00:00:00 2001 From: jdalton Date: Fri, 24 Apr 2026 22:19:50 -0400 Subject: [PATCH 1/2] chore(pnpm): declare autoInstallPeers + enablePrePostScripts in pnpm-workspace.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pnpm v11 reads settings from pnpm-workspace.yaml (and the npm-compat subset from .npmrc), not from .pnpmrc. Declaring pnpm defaults explicitly in pnpm-workspace.yaml hardens against future default flips — a silent pnpm change can't quietly disable husky's prepare hook or flip peer-install behavior across the fleet. Settings added: - autoInstallPeers: true pnpm default, declared explicitly - enablePrePostScripts: true pnpm default, declared explicitly (husky) Everything else is already correctly configured in socket-cli: - minimumReleaseAge, saveExact, strictPeerDependencies, trustPolicy, trustPolicyExclude, allowBuilds, pmOnFail, minimumReleaseAgeExclude — all in pnpm-workspace.yaml. - ignore-scripts, min-release-age, trust-policy — in .npmrc (the npm-compat subset pnpm reads from). No change to actual install behavior; this just locks in the current behavior against future pnpm default changes. --- pnpm-workspace.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 2402f1bfd..220432030 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -216,6 +216,15 @@ overrides: yaml: 'catalog:' yargs-parser: 'catalog:' +# Auto-install missing peer deps (pnpm default). Declared explicitly +# so a future default flip can't silently change install behavior. +autoInstallPeers: true + +# Run pre/post lifecycle scripts on the workspace root (e.g. +# prepare -> husky). This is the pnpm default; declared explicitly +# so a future default flip can't silently disable husky setup. +enablePrePostScripts: true + # Patched dependencies (migrated from package.json pnpm.patchedDependencies). patchedDependencies: '@npmcli/run-script@10.0.4': patches/@npmcli__run-script@10.0.4.patch From 9192848249a557eb3799d048334925f931e53cf7 Mon Sep 17 00:00:00 2001 From: jdalton Date: Fri, 24 Apr 2026 22:34:26 -0400 Subject: [PATCH 2/2] chore(npm): drop dead trust-policy lines from .npmrc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit npm does not support `trust-policy` or `trust-policy-exclude[]` — neither setting is in the npm v11 config reference. They are pnpm-only settings (`trustPolicy` / `trustPolicyExclude`) that pnpm reads from pnpm-workspace.yaml, not from .npmrc. The .npmrc entries were silent no-ops. socket-cli already has the correct values in pnpm-workspace.yaml: trustPolicy: no-downgrade trustPolicyExclude: - undici@6.21.3 Removing the dead lines. No behavioral change — the real policy was already being applied via pnpm-workspace.yaml. --- .npmrc | 2 -- 1 file changed, 2 deletions(-) diff --git a/.npmrc b/.npmrc index 9efdcbe6d..9c7382baf 100644 --- a/.npmrc +++ b/.npmrc @@ -1,5 +1,3 @@ # npm v11+ settings (not pnpm — pnpm v11 only reads auth/registry from .npmrc). ignore-scripts=true min-release-age=7 -trust-policy=no-downgrade -trust-policy-exclude[]=undici@6.21.3