From a3213fe905e6384f4b222ac7742746c5c72cd18d Mon Sep 17 00:00:00 2001
From: Sheraff <me@florianpellet.com>
Date: Sun, 17 May 2026 16:04:35 +0200
Subject: [PATCH] security: stricter pnpm config blockExoticSubdeps &
 trustPolicy

---
 .github/workflows/pr.yml | 12 ------------
 pnpm-workspace.yaml      |  2 ++
 2 files changed, 2 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 2510519..5bbba31 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -53,18 +53,6 @@ jobs:
         run: pnpm run build:all
       - name: Publish Previews
         run: pnpx pkg-pr-new publish --pnpm --compact './packages/*' --no-template
-  provenance:
-    name: Provenance
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - name: Check Provenance
-        uses: danielroe/provenance-action@41bcc969e579d9e29af08ba44fcbfdf95cee6e6c # v0.1.1
-        with:
-          fail-on-downgrade: true
   version-preview:
     name: Version Preview
     runs-on: ubuntu-latest
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 840fb9b..bc72deb 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -1,6 +1,8 @@
 cleanupUnusedCatalogs: true
 linkWorkspacePackages: true
 preferWorkspacePackages: true
+blockExoticSubdeps: true
+trustPolicy: 'no-downgrade'
 
 peerDependencyRules:
   allowedVersions: