# Supply-chain hardening.
minimumReleaseAge: 1440
# rolldown (vite 8's bundler) exact-pins these to its rc version, so the
# cooldown has no mature alternative to fall back to and the install dies.
# Scoped to the binaries/runtime only -- @rolldown/pluginutils etc. stay
# under the cooldown.
minimumReleaseAgeExclude:
  - "@rolldown/binding-*"
  - "@emnapi/core"
  - "@emnapi/runtime"
  # Astro 7.0.0 and the whole @astrojs/* family (adapters, markdown-satteri,
  # internal helpers, etc.) were published together on 2026-06-22 and are all
  # still inside the 24h cooldown. Exclude them so the upgrade install doesn't
  # stall. TEMPORARY: remove this scope exclusion once the cooldown has elapsed.
  - astro
  - "@astrojs/*"
trustPolicy: no-downgrade
strictDepBuilds: true
dangerouslyAllowAllBuilds: false
blockExoticSubdeps: true
verifyStoreIntegrity: true
strictStorePkgContentCheck: true
verifyDepsBeforeRun: error
allowBuilds:
  "@parcel/watcher": true
  sharp: true
  core-js-pure: false
  better-sqlite3: true
  esbuild: true
  workerd: true
  # Transitive @flue/runtime deps. The reviewer ran end-to-end with these
  # build scripts ignored, so none are needed at runtime.
  "@google/genai": false
  "@mongodb-js/zstd": false
  node-liblzma: false
  protobufjs: false
# Reviewed benign trust downgrades (publish-method changes, not takeovers).
trustPolicyExclude:
  - "vite@6.4.1" # trusted-publisher -> provenance (vitejs CI change)
  - "chokidar@4.0.3" # provenance -> none (Astro-pinned; pnpm's documented case)
  - "semver@6.3.1" # provenance -> none (old pinned util via @babel/core)
  - "@portabletext/toolkit@3.0.3" # provenance -> none (old pinned release)
  - "reselect@5.1.1" # provenance -> none (old pinned util)

overrides:
  # 1.3.0 is deprecated (CWE-502); pin the patched line.
  "@ungap/structured-clone": "^1.3.1"

enablePrePostScripts: true

packages:
  - packages/*
  - packages/plugins/*
  - apps/*
  - demos/*
  - templates/*
  - packages/blocks/playground
  - e2e/fixture
  - e2e/fixture-cloudflare
  - fixtures/*
  - docs
  - i18n
  - infra/*
catalog:
  "@arethetypeswrong/cli": ^0.18.2
  "@astrojs/check": ^0.9.7
  "@astrojs/cloudflare": ^14.0.0
  "@astrojs/node": ^11.0.0
  "@astrojs/react": ^6.0.0
  "@atcute/atproto": ^4.0.2
  "@atcute/car": ^6.0.0
  "@atcute/cbor": ^2.3.3
  "@atcute/cid": ^2.4.1
  "@atcute/client": ^5.0.0
  "@atcute/crypto": ^2.4.1
  "@atcute/firehose": ^1.0.0
  "@atcute/identity": ^2.0.0
  "@atcute/identity-resolver": ^2.0.0
  "@atcute/jetstream": ^2.0.0
  "@atcute/lex-cli": ^2.8.1
  "@atcute/lexicons": ^2.0.0
  "@atcute/mst": ^1.0.1
  "@atcute/multibase": ^1.2.0
  "@atcute/oauth-node-client": ^2.0.0
  "@atcute/repo": ^1.0.0
  "@atcute/xrpc-server": ^2.0.0
  "@atcute/xrpc-server-cloudflare": ^2.0.0
  "@atproto/crypto": ^0.4.5
  "@atproto/repo": ^0.9.1
  # Pinned exactly (no range). The admin package ships a prebuilt styles.css
  # generated by scanning Kumo's dist at build time. A floating range lets a
  # consumer resolve a Kumo whose component classes are absent from that
  # prebuilt CSS, rendering controls invisible. Keep build-time and runtime
  # Kumo identical: bump this version deliberately and rebuild admin.
  "@cloudflare/kumo": 2.6.0
  "@cloudflare/vite-plugin": ^1.36.3
  "@cloudflare/vitest-pool-workers": ^0.16.3
  "@cloudflare/workers-types": ^4.20260305.1
  "@iconify-json/ph": ^1.2.2
  "@lingui/babel-plugin-lingui-macro": ^5.9.4
  "@lingui/cli": ^5.9.4
  "@lingui/conf": ^5.9.4
  "@lingui/core": ^5.9.4
  "@lingui/macro": ^5.9.4
  "@lingui/react": ^5.9.4
  "@oslojs/crypto": ^1.0.1
  "@oslojs/encoding": ^1.1.0
  "@oslojs/webauthn": ^1.0.0
  "@phosphor-icons/react": ^2.1.10
  "@tanstack/react-query": 5.90.21
  "@tanstack/react-router": 1.163.2
  "@tiptap/core": ^3.20.0
  "@tiptap/extension-character-count": ^3.20.0
  "@tiptap/extension-code-block": ^3.20.0
  "@tiptap/extension-collaboration": ^3.20.0
  "@tiptap/extension-drag-handle": ^3.20.0
  "@tiptap/extension-drag-handle-react": ^3.20.0
  "@tiptap/extension-dropcursor": ^3.20.0
  "@tiptap/extension-focus": ^3.20.0
  "@tiptap/extension-image": ^3.20.0
  "@tiptap/extension-link": ^3.20.0
  "@tiptap/extension-node-range": ^3.20.0
  "@tiptap/extension-placeholder": ^3.20.0
  "@tiptap/extension-table": ^3.20.0
  "@tiptap/extension-table-cell": ^3.20.0
  "@tiptap/extension-table-header": ^3.20.0
  "@tiptap/extension-table-row": ^3.20.0
  "@tiptap/extension-text-align": ^3.20.0
  "@tiptap/extension-typography": ^3.20.0
  "@tiptap/extension-underline": ^3.20.0
  "@tiptap/pm": ^3.20.0
  "@tiptap/react": ^3.20.0
  "@tiptap/starter-kit": ^3.20.0
  "@tiptap/suggestion": ^3.20.0
  "@tiptap/y-tiptap": ^3.0.5
  "@types/node": 24.10.13
  "@types/better-sqlite3": ^7.6.12
  "@types/react": 19.2.14
  "@types/react-dom": 19.2.3
  "@types/semver": ^7.5.8
  astro: ^7.0.0
  astro-iconset: ^0.0.4
  better-sqlite3: ^12.8.0
  chokidar: ^5.0.0
  image-size: ^2.0.2
  jsonc-parser: ^3.3.1
  kysely: ^0.29.0
  publint: 0.3.17
  react: 19.2.4
  react-dom: 19.2.4
  semver: ^7.6.3
  tsdown: 0.20.3
  typescript: ^6.0.3
  vite: ^8.0.11
  vitest: ^4.1.5
  wrangler: ^4.99.0
  "y-protocols": ^1.0.7
  yjs: ^13.6.0
  zod: ^4.4.1
