feat: read trustPolicy, trustPolicyExclude, and trustPolicyIgnoreAfter from pnpm-config.json#5751
Merged
iclanton merged 5 commits intomicrosoft:mainfrom Apr 15, 2026
Merged
Conversation
…settings Add first-class support for pnpm trust policy settings in Rush's pnpm-config.json. These settings protect against dependency hijack attacks by blocking installations where a package's trust level has decreased. Each setting has a separate pnpm version check: trustPolicy (>=10.21.0), trustPolicyExclude (>=10.22.0), and trustPolicyIgnoreAfter (>=10.27.0). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fpapado
requested review from
apostolisms,
dmichon-msft,
iclanton and
octogonz
as code owners
Contributor
Author
|
@microsoft-github-policy-service agree company="DoorDash" |
fpapado
changed the title
trustPolicy, trustPolicyExclude, and trustPolicyIgnoreAftertrustPolicy, trustPolicyExclude, and trustPolicyIgnoreAfter from pnpm-config.json
iclanton
approved these changes
Apr 9, 2026
common/changes/@microsoft/rush/feature-add-trust-policy-support_2026-04-07-00-00.json
Outdated
Show resolved
Hide resolved
Co-authored-by: Ian Clanton-Thuon <iclanton@users.noreply.github.com>
...this setting is named like that in user-facing and internal Rush config, but must be surfaced as trustPolicyIgnoreAfter in the synthesised package.json.
iclanton
approved these changes
Apr 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR closes #5750, by adding support for these options in
pnpm-config.json.From a user's perspective, they can now adopt a stricter trust policy, providing defence-in-depth for supply chain vulnerabilities, particularly hijacking of dependency maintainers' tokens and publishing outside of CI. The
trustPolicyExcludeandtrustPolicyIgnoreAfteroptions provide a migration path for adopting the setting, by avoiding errors on known-good (or assumed-good) versions of packages.Details
I largely followed the implementation for
minimumReleaseandminimumReleaseAgeExclude, adding the setting toPnpmOptionsConfigurationand any of the related interfaces. I also updated the docs, largely matching what pnpm describes.This should not have backwards compatibility issues, since these properties are optional (though I suppose if a repo was specifying them assuming they worked, they will now be enforced; I forget if pnpm-config.json is permissive about unknown properties)
How it was tested
I added unit tests to ensure that the config gets passed on.
I'm now looking through the docs about the current recommendation for linking locally, so I can test this on our monorepo at DoorDash.
Impacted documentation
The docs at https://rushjs.io/pages/configs/pnpm-config_json/ are affected, though if I understood the process right, they are covered by the docs changes here? Let me know if not, and I can update the site manually or in whichever process 😌
(Note to self to double-check the api-extractor result, now that I've edited some of the comments)