chore: replace .npmrc with pnpm-workspace.yaml

2026-03-02 16:28:06 -08:00
4 changed files with 29 additions and 40 deletions
--- a/.npmrc
+++ b/.npmrc
@@ -1,25 +0,0 @@
-# Package Manager Configuration
-# Force pnpm usage - breaks npm/yarn intentionally
-node-linker=pnpm
-
-# Security: Disable all lifecycle scripts
-ignore-scripts=true
-enable-pre-post-scripts=false
-
-# Security: Require packages to be 10+ days old before installation
-minimum-release-age=14400
-
-# Security: Verify package integrity hashes
-verify-store-integrity=true
-
-# Security: Enforce strict trust policies
-trust-policy=strict
-
-# Security: Strict peer dependency resolution
-strict-peer-dependencies=true
-
-# Performance: Use symlinks for node_modules
-symlink=true
-
-# Lockfile: Ensure lockfile is not modified during install
-frozen-lockfile=false
--- a/package.json
+++ b/package.json
@@ -24,7 +24,7 @@
  },
  "dependencies": {
    "@nhcarrigan/logger": "1.0.0",
-    "@prisma/client": "7.3.0",
+    "@prisma/client": "6.13.0",
    "discord.js": "14.21.0",
    "fastify": "5.5.0"
  }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -12,8 +12,8 @@ importers:
        specifier: 1.0.0
        version: 1.0.0
      '@prisma/client':
-        specifier: 7.3.0
-        version: 7.3.0(prisma@6.13.0(typescript@5.9.2))(typescript@5.9.2)
+        specifier: 6.13.0
+        version: 6.13.0(prisma@6.13.0(typescript@5.9.2))(typescript@5.9.2)
      discord.js:
        specifier: 14.21.0
        version: 14.21.0
@@ -375,15 +375,12 @@ packages:
    resolution: {integrity: sha512-fdDH1LSGfZdTH2sxdpVMw31BanV28K/Gry0cVFxaNP77neJSkd82mM8ErPNYs9e+0O7SdHBLTDzDgwUuy18RnQ==}
    engines: {node: ^12.20.0 || ^14.18.0 || >=16.0.0}

-  '@prisma/client-runtime-utils@7.3.0':
-    resolution: {integrity: sha512-dG/ceD9c+tnXATPk8G+USxxYM9E6UdMTnQeQ+1SZUDxTz7SgQcfxEqafqIQHcjdlcNK/pvmmLfSwAs3s2gYwUw==}
-
-  '@prisma/client@7.3.0':
-    resolution: {integrity: sha512-FXBIxirqQfdC6b6HnNgxGmU7ydCPEPk7maHMOduJJfnTP+MuOGa15X4omjR/zpPUUpm8ef/mEFQjJudOGkXFcQ==}
-    engines: {node: ^20.19 || ^22.12 || >=24.0}
+  '@prisma/client@6.13.0':
+    resolution: {integrity: sha512-8m2+I3dQovkV8CkDMluiwEV1TxV9EXdT6xaCz39O6jYw7mkf5gwfmi+cL4LJsEPwz5tG7sreBwkRpEMJedGYUQ==}
+    engines: {node: '>=18.18'}
    peerDependencies:
      prisma: '*'
-      typescript: '>=5.4.0'
+      typescript: '>=5.1.0'
    peerDependenciesMeta:
      prisma:
        optional: true
@@ -2667,11 +2664,7 @@ snapshots:

  '@pkgr/core@0.1.2': {}

-  '@prisma/client-runtime-utils@7.3.0': {}
-
-  '@prisma/client@7.3.0(prisma@6.13.0(typescript@5.9.2))(typescript@5.9.2)':
-    dependencies:
-      '@prisma/client-runtime-utils': 7.3.0
+  '@prisma/client@6.13.0(prisma@6.13.0(typescript@5.9.2))(typescript@5.9.2)':
    optionalDependencies:
      prisma: 6.13.0(typescript@5.9.2)
      typescript: 5.9.2
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -0,0 +1,21 @@
+# Security
+
+# Do not execute any scripts of installed packages (project scripts still run)
+ignoreDepScripts: true
+# Do not automatically run pre/post scripts (e.g. preinstall, postbuild)
+enablePrePostScripts: false
+# Only allow packages published at least 10 days ago (reduces risk of compromised packages)
+minimumReleaseAge: 14400
+# Fail if a package's trust level has decreased compared to previous releases
+trustPolicy: no-downgrade
+# Ignore trust policy for packages published more than 1 year ago (predates provenance signing)
+trustPolicyIgnoreAfter: 525960
+# Fail if there are missing or invalid peer dependencies
+strictPeerDependencies: true
+# Prevent transitive dependencies from using exotic sources (git repos, direct tarball URLs)
+blockExoticSubdeps: true
+
+# Lockfile
+
+# Allow the lockfile to be updated during install (set to true in CI for stricter reproducibility)
+preferFrozenLockfile: false