Feat/strict pnpm rules#136
Open
WybeBosch wants to merge 9 commits into
Open
Conversation
WybeBosch
commented
Jun 18, 2026
WybeBosch
commented
Jun 18, 2026
Mirrors the pnpm minimumReleaseAge policy: hold new dependency versions for 7 days before opening update PRs, excluding @yardinternet/* packages.
…mmit Remove the pre-commit hook so commits are instant, and move the quality gate to pre-push via a single "verify" script that runs lint:js, the new check-only format:check:js, and tests. Any failure cancels the push.
Enable prettier format-on-save and eslint/stylelint fix-on-save so formatting is handled in-editor, complementing the pre-push gate.
WybeBosch
requested review from
FreakyWizard,
JasperS20,
Yannicvanveen,
YvetteNikolov,
Copilot,
laravdiemen and
rivanuff
There was a problem hiding this comment.
Pull request overview
This PR tightens pnpm-related supply-chain and workflow consistency across the Yard Toolkit monorepo by delaying adoption of newly published dependency versions, pinning/validating toolchain versions, and aligning local/CI developer checks.
Changes:
- Add pnpm rules to delay new dependency versions for 7 days (excluding
@yardinternet/*) and pin pnpm viapackageManagerwith an integrity hash. - Pin Prettier to
wp-prettier@3.0.3, add a format check script, and introduce averifyscript used by Husky pre-push. - Adjust release tooling and dependency update tooling (Lerna publish commit message and Dependabot cooldown), and add workspace VS Code settings.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
pnpm-workspace.yaml |
Adds minimumReleaseAge and an exclude pattern for internal packages. |
package.json |
Pins pnpm with integrity, pins Prettier, and adds format:check:js + verify scripts. |
lerna.json |
Updates Lerna publish commit message. |
.vscode/settings.json |
Adds repo VS Code defaults for formatting and linting on save. |
.husky/pre-push |
Runs pnpm verify instead of only tests. |
.husky/pre-commit |
Removes the previous lint-staged pre-commit hook. |
.github/dependabot.yml |
Adds a 7-day cooldown with an exclude for internal packages. |
Comments suppressed due to low confidence (1)
package.json:36
lint-stagedis still listed as a devDependency, but the only Husky hook that invoked it (.husky/pre-commit) has been removed and there are no other references tolint-stagedin the repo. Keeping an unused dependency increases the supply-chain surface and maintenance overhead; either remove it or reintroduce a hook/script that uses it.
"prettier": "npm:wp-prettier@3.0.3",
"@yardinternet/toolkit": "workspace:*",
"husky": "^9.1.7",
"lerna": "^9.0.4",
"lint-staged": "^16.2.7",
e7a80d2 to
a164047
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 8 changed files in this pull request and generated no new comments.
Files not reviewed (1)
- pnpm-lock.yaml: Generated file
Comments suppressed due to low confidence (1)
package.json:37
lint-stagedis still installed/configured (see.lintstagedrc.jsonand this devDependency), but the.husky/pre-commithook was removed in this PR. That makeslint-stagedeffectively unused and keeps an extra dependency in the supply chain. Consider either reintroducing a pre-commit hook that runslint-staged, or removinglint-staged(and the config) entirely.
"prettier": "npm:wp-prettier@3.0.3",
"@yardinternet/toolkit": "workspace:*",
"husky": "^9.1.7",
"lerna": "^9.0.4",
"lint-staged": "^16.2.7",
"syncpack": "^14.0.0",
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Strengere pnpm-instellingen om de supply chain wat beter af te dichten en de tooling consistent te houden.
Wat er verandert:
minimumReleaseAgeop 7 dagen (10080 min): nieuwe versies van dependencies worden pas geïnstalleerd als ze minstens een week oud zijn. Eigen packages (@yardinternet/*) zijn uitgezonderd.packageManagerzodat Corepack de pnpm-versie verifieert.wp-prettier@3.0.3, anders verdwijnt deparenSpacingbij het formatten.chore: lerna publish.