security: Set min release age with pnpm (#2561)

[KATO-Hiro]

close #2561

Summary by CodeRabbit

• Documentation

  • Added plan documenting pnpm workspace configuration implementation with detailed setting explanations and guidance

• Chores

  • Updated workspace configuration with controls for package adoption timing, version exclusions for specific dependencies, and transitive dependency source restrictions

[coderabbitai]

Walkthrough

The changes introduce security-focused configuration for pnpm by adding minimumReleaseAge settings to delay package installations by one day, excluding specific dependencies for faster updates, and enabling blockExoticSubdeps to prevent non-registry transitive dependencies. Accompanying documentation outlines the implementation plan and rationale.

Changes

Cohort / File(s)	Summary
Security Configuration pnpm-workspace.yaml	Adds minimumReleaseAge (1440 minutes), minimumReleaseAgeExclude list (prisma, @prisma/client, tsx), and blockExoticSubdeps (true) to enforce supply chain security controls.
Implementation Documentation docs/dev-notes/2026-02-03/set-minimumReleaseAge-with-pnpm/plan.md	Detailed plan documenting the pnpm security configuration changes, rationale, affected dependencies, verification steps, and lessons learned on balancing security with developer productivity.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A hop-hop-hooray for safer seas!
With pnpm guards and exclusion pleas,
We block the exotic, delay the new,
Yet Prisma flies fast—security through! 🛡️✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'security: Set min release age with pnpm' accurately describes the main change of adding minimumReleaseAge configuration to pnpm, which is the primary objective of the PR.
Linked Issues check	✅ Passed	The PR successfully implements the objective from issue #2561 to configure pnpm with minimumReleaseAge as a security measure against supply-chain attacks.
Out of Scope Changes check	✅ Passed	All changes are directly related to the minimumReleaseAge configuration and supporting documentation; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch #2561

Important

Action Needed: IP Allowlist Update

If your organization protects your Git platform with IP whitelisting, please add the new CodeRabbit IP address to your allowlist:

• ✨ 136.113.208.247/32 (new)
• 34.170.211.100/32
• 35.222.179.152/32

Failure to add the new IP will result in interrupted reviews.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[KATO-Hiro]

LGTM