From a8dc95d8b12024be0fa14001d1a991db5fc691a1 Mon Sep 17 00:00:00 2001
From: Sheraff <me@florianpellet.com>
Date: Sun, 17 May 2026 15:58:15 +0200
Subject: [PATCH] security: stricter pnpm config blockExoticSubdeps &
 trustPolicy

---
 .github/workflows/pr.yml | 13 -------------
 pnpm-workspace.yaml      |  2 ++
 2 files changed, 2 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index ca506976..34d6046a 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -29,19 +29,6 @@ jobs:
         run: pnpm build
       - name: Test Unit
         run: pnpm test:unit
-  provenance:
-    name: Provenance
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-      - name: Check Provenance
-        uses: danielroe/provenance-action@41bcc969e579d9e29af08ba44fcbfdf95cee6e6c # v0.1.1
-        with:
-          fail-on-downgrade: true
   test-e2e:
     name: Test (E2E Blocking)
     runs-on: ubuntu-latest
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 1b0d14df..e1818587 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -1,6 +1,8 @@
 cleanupUnusedCatalogs: true
 linkWorkspacePackages: true
 preferWorkspacePackages: true
+blockExoticSubdeps: true
+trustPolicy: 'no-downgrade'
 
 packages:
   - 'cli-aliases/*'