From 33a653c15bf9ee090b0de8e279fd34ff94a52726 Mon Sep 17 00:00:00 2001
From: Sheraff <me@florianpellet.com>
Date: Sun, 17 May 2026 16:01:28 +0200
Subject: [PATCH] security: stricter pnpm config blockExoticSubdeps &
 trustPolicy

---
 .github/workflows/pr.yml | 12 ------------
 pnpm-workspace.yaml      |  2 ++
 2 files changed, 2 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 77ff5e14..598630ab 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -47,18 +47,6 @@ jobs:
         run: pnpm run build:all
       - name: Publish Previews
         run: pnpx pkg-pr-new publish --pnpm --compact './packages/*' --template './examples/*/*'
-  provenance:
-    name: Provenance
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - name: Check Provenance
-        uses: danielroe/provenance-action@41bcc969e579d9e29af08ba44fcbfdf95cee6e6c # v0.1.1
-        with:
-          fail-on-downgrade: true
   version-preview:
     name: Version Preview
     runs-on: ubuntu-latest
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 06908ae0..6ae0c5ac 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -1,6 +1,8 @@
 cleanupUnusedCatalogs: true
 linkWorkspacePackages: true
 preferWorkspacePackages: true
+blockExoticSubdeps: true
+trustPolicy: 'no-downgrade'
 
 packages:
   - 'packages/*'