RFC: pnpm config dependency

.changeset/dry-lines-jam.md

@@ -0,0 +1,20 @@
+---
+'skuba': major
+---
+
+lint: Enable [`allowBuilds`](https://pnpm.io/settings#allowbuilds), [`trustPolicy`](https://pnpm.io/settings#trustpolicy) and [`ignorePatchFailures`](https://pnpm.io/cli/patch#ignorepatchfailures) in `pnpm-plugin-skuba`
+
+In light of recent security vulnerabilities plaguing the JavaScript ecosystem, we are enabling some additional pnpm features to help mitigate the risk of supply chain attacks.
+
+We have allowlisted a set of known packages as our default but you may need to update your `pnpm-workspace.yaml` configuration to add any additional packages you use that are not included in the default allowlist.
+
+Example:
+
+```yaml
+allowBuilds:
+  some-package: true
+  some-other-package@1.0.0: true
+
+trustPolicyExclude:
+  - some-package@1.2.3
+```

.changeset/lovely-snails-live.md

@@ -0,0 +1,19 @@
+---
+'skuba': major
+---
+
+lint: Migrate `pnpm-workspace.yaml` skuba configuration to `pnpm-plugin-skuba`
+
+This change replaces the managed skuba section in `pnpm-workspace.yaml` with a pnpm configuration plugin.
+
+The migration includes removing the `minimumReleaseAgeExcludeOverload` settings from `package.json` and migrating them to `pnpm-workspace.yaml`
+
+This simplifies the managed configuration `skuba` provides, allowing you to override and extend previously un-configurable settings such as `minimumReleaseAge` from your `pnpm-workspace.yaml` file.
+
+Example:
+
+```yaml
+minimumReleaseAge: 1440 # 1 day
+minimumReleaseAgeExclude:
+  - some-package
+```

.changeset/smart-lamps-deny.md

@@ -12,7 +12,7 @@ This patch will attempt to do a best effort migration of your `skuba build-packa
 4. Updating your package `package.json` files to point to the new build outputs
 5. Removing redundant `tsconfig.build.json` files
 
-## File changes
+#### File changes
 
 The output between what `skuba build-package` generates before and after this change will be different, so you may need to update any references to the output files in your project.
 
@@ -36,7 +36,7 @@ If needed, export those references from your package entry point to help consume
 
 Note: if you choose to remove the `unbundle: true` option from `tsdown.config.mts`, tsdown may emit bundled/chunked outputs and internal `lib/...` file paths can change between builds. Consumers should avoid importing from build output files directly, and instead import from the package entry point (or explicitly exported sub paths)
 
-## Format changes
+#### Format changes
 
 `tsdown` selects what ECMAScript target version to build for based on the `engines.node` field in your `package.json`.
 
@@ -59,7 +59,7 @@ This release changes published build output paths. If you were previously import
 ```
 ````
 
-## Debugging
+#### Debugging
 
 If your project utilises a `main` field which points to a `.ts` file within a monorepo setup, eg.
 

.changeset/twelve-chairs-cheer.md

@@ -0,0 +1,5 @@
+---
+'pnpm-plugin-skuba': major
+---
+
+Release stable version

.github/renovate.json5

@@ -114,7 +114,7 @@
   customManagers: [
     {
       customType: 'regex',
-      managerFilePatterns: ['/pnpm.md$/'],
+      fileMatch: ['pnpm.md$', '(^|/)_package\\.json$'],
       matchStrings: [
         '"packageManager": "(?<depName>.*?)@(?<currentValue>.*?)",',
       ],

.pnpmfile.cjs

@@ -0,0 +1 @@
+packages/pnpm-plugin-skuba/pnpmfile.cjs

package.json

@@ -154,6 +154,7 @@
     "jsonfile": "6.2.0",
     "koa": "3.1.2",
     "memfs": "4.56.10",
+    "pnpm-plugin-skuba": "workspace:*",
     "remark-cli": "12.0.1",
     "remark-preset-lint-recommended": "7.0.1",
     "semver": "7.7.4",

packages/pnpm-plugin-skuba/README.md

@@ -0,0 +1,8 @@
+# pnpm-plugin-skuba
+
+[![npm package](https://img.shields.io/npm/v/pnpm-plugin-skuba?labelColor=cb0000&color=5b5b5b)](https://www.npmjs.com/package/pnpm-plugin-skuba)
+[![Node.js version](https://img.shields.io/node/v/pnpm-plugin-skuba?labelColor=5fa04e&color=5b5b5b)](https://www.npmjs.com/package/pnpm-plugin-skuba)
+
+Shareable pnpm config for **[skuba]**.
+
+[skuba]: https://github.com/seek-oss/skuba

packages/pnpm-plugin-skuba/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "pnpm-plugin-skuba",
+  "version": "1.0.0",
+  "private": false,
+  "description": "Pnpm plugin for skuba",
+  "homepage": "https://github.com/seek-oss/skuba/tree/main/packages/pnpm-plugin-skuba#readme",
+  "bugs": {
+    "url": "https://github.com/seek-oss/skuba/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/seek-oss/skuba.git",
+    "directory": "packages/pnpm-plugin-skuba"
+  },
+  "license": "MIT",
+  "sideEffects": false,
+  "main": "pnpmfile.cjs",
+  "files": [
+    "pnpmfile.cjs"
+  ],
+  "devDependencies": {
+    "@pnpm/config": "^1004.9.0"
+  },
+  "engines": {
+    "node": ">=22.14.0"
+  },
+  "skuba": {
+    "entryPoint": "pnpmfile.cjs",
+    "template": "oss-npm-package",
+    "type": "package",
+    "version": "14.1.2"
+  }
+}

packages/pnpm-plugin-skuba/pnpmfile.cjs

@@ -0,0 +1,71 @@
+// @ts-check
+const MINIMUM_RELEASE_AGE_EXCLUDE = [
+  '@seek/*',
+  '@skuba-lib/*',
+  'eslint-config-seek',
+  'eslint-config-skuba',
+  'eslint-plugin-skuba',
+  'skuba',
+  'skuba-dive',
+  'tsconfig-seek',
+];
+
+const ALLOWED_BUILDS = {
+  '@ast-grep/lang-json': true,
+  '@datadog/native-appsec': true,
+  '@datadog/native-iast-taint-tracking': true,
+  '@datadog/native-metrics': true,
+  '@datadog/pprof': true,
+  'dd-trace': true,
+  esbuild: true,
+  protobufjs: true,
+  'unix-dgram': true,
+  'unrs-resolver': true,
+};
+
+const PUBLIC_HOIST_PATTERN = [
+  '@arethetypeswrong/core',
+  '@eslint/*',
+  '@types*',
+  'eslint',
+  'eslint-config-skuba',
+  'esbuild',
+  'jest',
+  'prettier',
+  'publint',
+  'tsconfig-seek',
+  'tsdown',
+  'typescript',
+];
+
+const TRUST_POLICY_EXCLUDE = ['semver@5.7.2 || 6.3.1'];
+
+module.exports = {
+  hooks: {
+    /** @param {import("@pnpm/config").Config} config */
+    updateConfig(config) {
+      if (typeof config.publicHoistPattern === 'string') {
+        config.publicHoistPattern = [config.publicHoistPattern];
+      }
+      config.minimumReleaseAgeExclude ??= [];
+      config.minimumReleaseAgeExclude.push(...MINIMUM_RELEASE_AGE_EXCLUDE);
+
+      config.allowBuilds ??= {};
+      Object.assign(config.allowBuilds, ALLOWED_BUILDS);
+
+      config.publicHoistPattern ??= [];
+      config.publicHoistPattern.push(...PUBLIC_HOIST_PATTERN);
+
+      config.trustPolicyExclude ??= [];
+      config.trustPolicyExclude.push(...TRUST_POLICY_EXCLUDE);
+
+      config.ignorePatchFailures ??= false;
+      config.minimumReleaseAge ??= 4320;
+      config.packageManagerStrictVersion ??= true;
+      config.strictDepBuilds ??= true;
+      config.trustPolicy ??= 'no-downgrade';
+
+      return config;
+    },
+  },
+};