ci(nodejs): switch from npm to pnpm 11 (#3373)

## Summary

Switch the nodejs bindings and examples package from npm to pnpm 11 to
pick up its stronger supply-chain defaults:

- `minimumReleaseAge` defaults to 1 day, so newly-published (potentially
compromised) versions aren't resolved into installs for at least 24h.
- Install lifecycle scripts (`preinstall`/`install`/`postinstall`) are
no longer run for arbitrary transitive deps; only an explicit allowlist
may run them, and unapproved scripts cause install to fail
(`strictDepBuilds: true`).
- Audit uses GHSA IDs and `--fix=update` to add patched versions to
`minimumReleaseAgeExclude`.

This is the same class of protection that would have blunted the recent
TanStack/`@uipath`/etc. compromise discussed in the [Aikido
write-up](https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised).

## Changes

- Replace `nodejs/package-lock.json` and
`nodejs/examples/package-lock.json` with `pnpm-lock.yaml`.
- Pin pnpm via `packageManager: pnpm@11.1.1` in both `package.json`s.
- Add `pnpm-workspace.yaml` with the four build-script packages we
actually need: `@biomejs/biome`, `onnxruntime-node`, `protobufjs`,
`sharp`. Everything else is blocked from running install scripts.
- Update package.json scripts (`npm run X` → `pnpm X`).
- Update workflows: `.github/workflows/nodejs.yml`,
`.github/workflows/npm-publish.yml`, and
`.github/workflows/codex-fix-ci.yml` — install pnpm via
`pnpm/action-setup@v4` and switch `setup-node` caches to
`pnpm-lock.yaml`.
- Refresh `nodejs/AGENTS.md`, `nodejs/CLAUDE.md`, and
`nodejs/CONTRIBUTING.md`.

`docs/package-lock.json` is **not** touched — out of scope for this PR.

## Test plan

- [ ] `Lint` job (lint Rust/TS + examples lint) passes on CI.
- [ ] `Linux (NodeJS 18/20)` build+test passes, including the examples
test step.
- [ ] `macos` build+test passes.
- [ ] `NPM Publish` workflow's PR dry-run completes (build matrix + test
matrix + dry `npm publish`).
- [ ] No new install-script approvals are required at install time.

## Follow-ups

- `update_package_lock_run_nodejs.yml` references a composite action
path that doesn't exist
(`./.github/workflows/update_package_lock_nodejs`); it was already
broken pre-PR. We may want to either delete this workflow or rewrite it
for pnpm in a follow-up.
- Consider migrating `docs/` to pnpm in a separate PR.

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/workflows/codex-fix-ci.yml

@@ -45,7 +45,9 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          # pnpm 11 (used by the nodejs install step below) requires
+          # Node >= 22.13; use 24 since 22 hits EOL in October.
+          node-version: 24
 
       - name: Install Codex CLI
         run: npm install -g @openai/codex
@@ -79,10 +81,14 @@ jobs:
           java-version: '11'
           cache: maven
 
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 11.1.1
       - name: Install Node.js dependencies for TypeScript bindings
         run: |
           cd nodejs
-          npm ci
+          pnpm install --frozen-lockfile
 
       - name: Configure git user
         run: |
@@ -137,7 +143,7 @@ jobs:
                - For Rust test failures: Run the specific test with "cargo test -p <crate> <test_name>"
                - For Python test failures: Build with "cd python && maturin develop" then run "pytest <specific_test_file>::<test_name>"
                - For Java test failures: Run "cd java && mvn test -Dtest=<TestClass>#<testMethod>"
-               - For TypeScript test failures: Run "cd nodejs && npm run build && npm test -- --testNamePattern='<test_name>'"
+               - For TypeScript test failures: Run "cd nodejs && pnpm build && pnpm test -- --testNamePattern='<test_name>'"
                - Do NOT run the full test suite - only run the tests that were failing
 
           7. If the additional guidelines are provided, follow them as well.

.github/workflows/nodejs.yml

@@ -42,11 +42,17 @@ jobs:
       with:
         fetch-depth: 0
         lfs: true
+    - uses: pnpm/action-setup@v4
+      with:
+        version: 11.1.1
     - uses: actions/setup-node@v4
       with:
-        node-version: 20
-        cache: 'npm'
-        cache-dependency-path: nodejs/package-lock.json
+        # pnpm 11 requires Node >= 22.13; use 24 since 22 hits EOL
+        # in October. The library itself still supports Node >= 18
+        # (see test matrix below).
+        node-version: 24
+        cache: 'pnpm'
+        cache-dependency-path: nodejs/pnpm-lock.yaml
     - uses: actions-rust-lang/setup-rust-toolchain@v1
       with:
         components: rustfmt, clippy
@@ -61,11 +67,13 @@ jobs:
       run: cargo clippy --profile ci --all --all-features -- -D warnings
     - name: Lint Typescript
       run: |
-        npm ci
-        npm run lint-ci
+        pnpm install --frozen-lockfile
+        pnpm lint-ci
     - name: Lint examples
       working-directory: nodejs/examples
-      run: npm ci && npm run lint-ci
+      # The `@lancedb/lancedb` dep points at file:../dist; pnpm errors if
+      # that dir is missing, so create an empty one for lint-only runs.
+      run: mkdir -p ../dist && pnpm install --frozen-lockfile && pnpm lint-ci
   linux:
     name: Linux (NodeJS ${{ matrix.node-version }})
     timeout-minutes: 30
@@ -82,14 +90,18 @@ jobs:
       with:
         fetch-depth: 0
         lfs: true
-    - uses: actions/setup-node@v4
-      name: Setup Node.js 20 for build
+    - uses: pnpm/action-setup@v4
       with:
-        # @napi-rs/cli v3 requires Node >= 20.12 (via @inquirer/prompts@8).
-        # Build always on Node 20; tests run on the matrix version below.
-        node-version: 20
-        cache: 'npm'
-        cache-dependency-path: nodejs/package-lock.json
+        version: 11.1.1
+    - uses: actions/setup-node@v4
+      name: Setup Node.js 24 for build
+      with:
+        # pnpm 11 requires Node >= 22.13; use 24 since 22 hits EOL
+        # in October. Build/install runs on Node 24; tests run on the
+        # matrix version below using direct jest invocation.
+        node-version: 24
+        cache: 'pnpm'
+        cache-dependency-path: nodejs/pnpm-lock.yaml
     - uses: Swatinem/rust-cache@v2
     - name: Install dependencies
       run: |
@@ -97,45 +109,52 @@ jobs:
         sudo apt install -y protobuf-compiler libssl-dev
     - name: Build
       run: |
-        npm ci --include=optional
-        npm run build:debug -- --profile ci
+        pnpm install --frozen-lockfile
+        # No `--` separator: pnpm forwards it literally, which would
+        # make napi-rs treat `--profile ci` as a cargo passthrough arg.
+        pnpm build:debug --profile ci
+        pnpm tsc
+    - name: Setup examples
+      working-directory: nodejs/examples
+      run: pnpm install --frozen-lockfile
+    - name: Check docs
+      run: |
+        # We run this as part of the job because the binary needs to be built
+        # first to export the types of the native code.
+        set -e
+        # `pnpm docs` would invoke pnpm's built-in `docs` command, not
+        # the script — use `pnpm run docs`.
+        pnpm run docs
+        if ! git diff --exit-code -- ../ ':(exclude)Cargo.lock'; then
+          echo "Docs need to be updated"
+          echo "Run 'pnpm run docs', fix any warnings, and commit the changes."
+          exit 1
+        fi
     - uses: actions/setup-node@v4
       name: Setup Node.js ${{ matrix.node-version }} for test
       with:
         node-version: ${{ matrix.node-version }}
-    - name: Compile TypeScript
-      run: npm run tsc
     - name: Setup localstack
       working-directory: .
       run: docker compose up --detach --wait
     - name: Test
       env:
         S3_TEST: "1"
-      run: npm run test
-    - name: Setup examples
-      working-directory: nodejs/examples
-      run: npm ci
+        # Newer @smithy/core uses dynamic ESM imports.
+        NODE_OPTIONS: "--experimental-vm-modules"
+      # Invoke jest directly because pnpm 11 itself requires Node 22+
+      # while the matrix tests on older Node versions.
+      run: npx jest --verbose
     - name: Test examples
       working-directory: ./
       env:
         OPENAI_API_KEY: test
         OPENAI_BASE_URL: http://0.0.0.0:8000
+        NODE_OPTIONS: "--experimental-vm-modules"
       run: |
         python ci/mock_openai.py &
         cd nodejs/examples
-        npm test
-    - name: Check docs
-      run: |
-        # We run this as part of the job because the binary needs to be built
-        # first to export the types of the native code.
-        set -e
-        npm ci
-        npm run docs
-        if ! git diff --exit-code -- ../ ':(exclude)Cargo.lock'; then
-          echo "Docs need to be updated"
-          echo "Run 'npm run docs', fix any warnings, and commit the changes."
-          exit 1
-        fi
+        npx jest --testEnvironment jest-environment-node-single-context --verbose
   macos:
     timeout-minutes: 30
     runs-on: "macos-14"
@@ -148,20 +167,28 @@ jobs:
       with:
         fetch-depth: 0
         lfs: true
+    - uses: pnpm/action-setup@v4
+      with:
+        version: 11.1.1
     - uses: actions/setup-node@v4
       with:
-        node-version: 20
-        cache: 'npm'
-        cache-dependency-path: nodejs/package-lock.json
+        # pnpm 11 requires Node >= 22.13; use 24 since 22 hits EOL
+        # in October.
+        node-version: 24
+        cache: 'pnpm'
+        cache-dependency-path: nodejs/pnpm-lock.yaml
+    - uses: dtolnay/rust-toolchain@stable
     - uses: Swatinem/rust-cache@v2
     - name: Install dependencies
       run: |
         brew install protobuf
     - name: Build
       run: |
-        npm ci --include=optional
-        npm run build:debug -- --profile ci
-        npm run tsc
+        pnpm install --frozen-lockfile
+        # No `--` separator: pnpm forwards it literally, which would
+        # make napi-rs treat `--profile ci` as a cargo passthrough arg.
+        pnpm build:debug --profile ci
+        pnpm tsc
     - name: Test
       run: |
-        npm run test
+        pnpm test

.github/workflows/npm-publish.yml

@@ -171,13 +171,18 @@ jobs:
         working-directory: nodejs
     steps:
       - uses: actions/checkout@v4
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 11.1.1
       - name: Setup node
         uses: actions/setup-node@v4
-        if: ${{ !matrix.settings.docker }}
         with:
-          node-version: 20
-          cache: npm
-          cache-dependency-path: nodejs/package-lock.json
+          # pnpm 11 requires Node >= 22.13; use 24 since 22 hits EOL
+          # in October.
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: nodejs/pnpm-lock.yaml
       - name: Install
         uses: dtolnay/rust-toolchain@stable
         if: ${{ !matrix.settings.docker }}
@@ -195,7 +200,7 @@ jobs:
             target/
           key: nodejs-${{ matrix.settings.target }}-cargo-${{ matrix.settings.host }}
       - name: Install dependencies
-        run: npm ci
+        run: pnpm install --frozen-lockfile
       - name: Install Zig
         uses: mlugg/setup-zig@v2
         if: ${{ contains(matrix.settings.target, 'musl') }}
@@ -248,7 +253,7 @@ jobs:
       # one to do the upload.
       - name: Make generic artifacts
         if: ${{ matrix.settings.target == 'aarch64-apple-darwin' }}
-        run: npm run tsc
+        run: pnpm tsc
       - name: Upload Generic Artifacts
         if: ${{ matrix.settings.target == 'aarch64-apple-darwin' }}
         uses: actions/upload-artifact@v4
@@ -283,14 +288,24 @@ jobs:
         working-directory: nodejs
     steps:
       - uses: actions/checkout@v4
-      - name: Setup node
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 11.1.1
+      - name: Setup Node.js 24 for install
+        uses: actions/setup-node@v4
+        with:
+          # pnpm 11 requires Node >= 22.13; use 24 since 22 hits EOL
+          # in October.
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: nodejs/pnpm-lock.yaml
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+      - name: Setup Node.js ${{ matrix.node }} for test
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node }}
-          cache: npm
-          cache-dependency-path: nodejs/package-lock.json
-      - name: Install dependencies
-        run: npm ci
       - name: Download artifacts
         uses: actions/download-artifact@v4
         with:
@@ -311,7 +326,9 @@ jobs:
       - name: Move built files
         run: cp dist/native.d.ts dist/native.js dist/*.node lancedb/
       - name: Test bindings
-        run: npm test
+        # Invoke jest directly because pnpm 11 itself requires Node 22+
+        # while the matrix tests on older Node versions.
+        run: npx jest --verbose
   publish:
     name: Publish
     runs-on: ubuntu-latest
@@ -323,15 +340,19 @@ jobs:
       - test-lancedb
     steps:
       - uses: actions/checkout@v4
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 11.1.1
       - name: Setup node
         uses: actions/setup-node@v4
         with:
           node-version: 24
-          cache: npm
-          cache-dependency-path: nodejs/package-lock.json
+          cache: pnpm
+          cache-dependency-path: nodejs/pnpm-lock.yaml
           registry-url: "https://registry.npmjs.org"
       - name: Install dependencies
-        run: npm ci
+        run: pnpm install --frozen-lockfile
       - uses: actions/download-artifact@v4
         with:
           name: nodejs-dist
@@ -351,7 +372,7 @@ jobs:
       - name: Display structure of downloaded files
         run: find dist && find nodejs-artifacts
       - name: Move artifacts
-        run: npx napi artifacts -d nodejs-artifacts
+        run: pnpm exec napi artifacts -d nodejs-artifacts
       - name: List packages
         run: find npm
       - name: Publish

docs/src/js/_media/CONTRIBUTING.md

@@ -12,20 +12,22 @@ Typescript.
 * `src/`: Rust bindings source code
 * `lancedb/`: Typescript package source code
 * `__test__/`: Unit tests
-* `examples/`: An npm package with the examples shown in the documentation
+* `examples/`: A pnpm package with the examples shown in the documentation
 
 ## Development environment
 
 To set up your development environment, you will need to install the following:
 
-1. Node.js 14 or later
-2. Rust's package manager, Cargo. Use [rustup](https://rustup.rs/) to install.
-3. [protoc](https://grpc.io/docs/protoc-installation/) (Protocol Buffers compiler)
+1. Node.js 22 or later (required by pnpm 11)
+2. [pnpm](https://pnpm.io/installation) 11 or later (or run via `corepack enable`,
+   which uses the `packageManager` field in `package.json`)
+3. Rust's package manager, Cargo. Use [rustup](https://rustup.rs/) to install.
+4. [protoc](https://grpc.io/docs/protoc-installation/) (Protocol Buffers compiler)
 
 Initial setup:
 
 ```shell
-npm install
+pnpm install
 ```
 
 ### Commit Hooks
@@ -39,38 +41,38 @@ pre-commit install
 
 ## Development
 
-Most common development commands can be run using the npm scripts.
+Most common development commands can be run using the pnpm scripts.
 
 Build the package
 
 ```shell
-npm install
-npm run build
+pnpm install
+pnpm build
 ```
 
 Lint:
 
 ```shell
-npm run lint
+pnpm lint
 ```
 
 Format and fix lints:
 
 ```shell
-npm run lint-fix
+pnpm lint-fix
 ```
 
 Run tests:
 
 ```shell
-npm test
+pnpm test
 ```
 
 To run a single test:
 
 ```shell
 # Single file: table.test.ts
-npm test -- table.test.ts
+pnpm test -- table.test.ts
 # Single test: 'merge insert' in table.test.ts
-npm test -- table.test.ts --testNamePattern=merge\ insert
+pnpm test -- table.test.ts --testNamePattern=merge\ insert
 ```

nodejs/AGENTS.md

@@ -3,11 +3,11 @@ The core Rust library is in the `../rust/lancedb` directory, the rust binding
 code is in the `src/` directory and the typescript bindings are in
 the `lancedb/` directory.
 
-Whenever you change the Rust code, you will need to recompile: `npm run build`.
+Whenever you change the Rust code, you will need to recompile: `pnpm build`.
 
 Common commands:
-* Build: `npm run build`
-* Lint: `npm run lint`
-* Fix lints: `npm run lint-fix`
-* Test: `npm test`
-* Run single test file: `npm test __test__/arrow.test.ts`
+* Build: `pnpm build`
+* Lint: `pnpm lint`
+* Fix lints: `pnpm lint-fix`
+* Test: `pnpm test`
+* Run single test file: `pnpm test __test__/arrow.test.ts`

nodejs/CONTRIBUTING.md

@@ -12,20 +12,22 @@ Typescript.
 * `src/`: Rust bindings source code
 * `lancedb/`: Typescript package source code
 * `__test__/`: Unit tests
-* `examples/`: An npm package with the examples shown in the documentation
+* `examples/`: A pnpm package with the examples shown in the documentation
 
 ## Development environment
 
 To set up your development environment, you will need to install the following:
 
-1. Node.js 14 or later
-2. Rust's package manager, Cargo. Use [rustup](https://rustup.rs/) to install.
-3. [protoc](https://grpc.io/docs/protoc-installation/) (Protocol Buffers compiler)
+1. Node.js 22 or later (required by pnpm 11)
+2. [pnpm](https://pnpm.io/installation) 11 or later (or run via `corepack enable`,
+   which uses the `packageManager` field in `package.json`)
+3. Rust's package manager, Cargo. Use [rustup](https://rustup.rs/) to install.
+4. [protoc](https://grpc.io/docs/protoc-installation/) (Protocol Buffers compiler)
 
 Initial setup:
 
 ```shell
-npm install
+pnpm install
 ```
 
 ### Commit Hooks
@@ -39,38 +41,38 @@ pre-commit install
 
 ## Development
 
-Most common development commands can be run using the npm scripts.
+Most common development commands can be run using the pnpm scripts.
 
 Build the package
 
 ```shell
-npm install
-npm run build
+pnpm install
+pnpm build
 ```
 
 Lint:
 
 ```shell
-npm run lint
+pnpm lint
 ```
 
 Format and fix lints:
 
 ```shell
-npm run lint-fix
+pnpm lint-fix
 ```
 
 Run tests:
 
 ```shell
-npm test
+pnpm test
 ```
 
 To run a single test:
 
 ```shell
 # Single file: table.test.ts
-npm test -- table.test.ts
+pnpm test -- table.test.ts
 # Single test: 'merge insert' in table.test.ts
-npm test -- table.test.ts --testNamePattern=merge\ insert
+pnpm test -- table.test.ts --testNamePattern=merge\ insert
 ```

nodejs/examples/package.json

@@ -11,16 +11,17 @@
     "test": "node --experimental-vm-modules node_modules/.bin/jest --testEnvironment jest-environment-node-single-context --verbose",
     "lint": "biome check *.ts && biome format *.ts",
     "lint-ci": "biome ci .",
-    "lint-fix": "biome check --write *.ts && npm run format",
+    "lint-fix": "biome check --write *.ts && pnpm format",
     "format": "biome format --write *.ts"
   },
   "author": "Lance Devs",
   "license": "Apache-2.0",
+  "packageManager": "pnpm@11.1.1",
   "dependencies": {
-    "@huggingface/transformers": "^3.0.2",
+    "@huggingface/transformers": "3.0.2",
     "@lancedb/lancedb": "file:../dist",
-    "openai": "^4.29.2",
-    "sharp": "^0.33.5"
+    "openai": "4.29.2",
+    "sharp": "0.33.5"
   },
   "devDependencies": {
     "@biomejs/biome": "^1.7.3",

nodejs/examples/pnpm-workspace.yaml

@@ -0,0 +1,13 @@
+# Block resolution of versions less than 24h old (Shai-Hulud window).
+# This is the pnpm 11 default but pinned here so it's visible to
+# reviewers and survives a future pnpm major flipping the default.
+minimumReleaseAge: 1440
+
+# Fail install if a transitive dep tries to run an unapproved script.
+strictDepBuilds: true
+
+allowBuilds:
+  '@biomejs/biome': true
+  onnxruntime-node: true
+  protobufjs: true
+  sharp: true

nodejs/package.json

@@ -38,15 +38,15 @@
     "url": "https://github.com/lancedb/lancedb"
   },
   "devDependencies": {
-    "@aws-sdk/client-dynamodb": "^3.33.0",
-    "@aws-sdk/client-kms": "^3.33.0",
-    "@aws-sdk/client-s3": "^3.33.0",
+    "@aws-sdk/client-dynamodb": "3.1003.0",
+    "@aws-sdk/client-kms": "3.1003.0",
+    "@aws-sdk/client-s3": "3.1003.0",
     "@biomejs/biome": "^1.7.3",
     "@jest/globals": "^29.7.0",
-    "@napi-rs/cli": "^3.5.1",
+    "@napi-rs/cli": "3.5.1",
     "@types/axios": "^0.14.0",
     "@types/jest": "^29.1.2",
-    "@types/node": "^22.7.4",
+    "@types/node": "22.7.4",
     "@types/tmp": "^0.2.6",
     "apache-arrow-15": "npm:apache-arrow@15.0.0",
     "apache-arrow-16": "npm:apache-arrow@16.0.0",
@@ -57,9 +57,9 @@
     "shx": "^0.3.4",
     "tmp": "^0.2.3",
     "ts-jest": "^29.1.2",
-    "typedoc": "^0.26.4",
-    "typedoc-plugin-markdown": "^4.2.1",
-    "typescript": "^5.5.4",
+    "typedoc": "0.26.4",
+    "typedoc-plugin-markdown": "4.2.1",
+    "typescript": "5.5.4",
     "typescript-eslint": "^7.1.0"
   },
   "ava": {
@@ -68,15 +68,16 @@
   "engines": {
     "node": ">= 18"
   },
+  "packageManager": "pnpm@11.1.1",
   "cpu": ["x64", "arm64"],
   "os": ["darwin", "linux", "win32"],
   "scripts": {
     "artifacts": "napi artifacts",
     "build:debug": "napi build --platform --dts ../lancedb/native.d.ts --js ../lancedb/native.js --output-dir lancedb",
-    "postbuild:debug": "shx mkdir -p dist && shx cp lancedb/*.node dist/",
+    "postbuild:debug": "shx mkdir -p dist && shx cp lancedb/*.node dist/ && node -e \"require('fs').writeFileSync('dist/package.json', JSON.stringify({name:'@lancedb/lancedb',type:'commonjs'}))\"",
     "build:release": "napi build --platform --release --dts ../lancedb/native.d.ts --js ../lancedb/native.js --output-dir dist",
-    "build": "npm run build:debug && npm run tsc",
-    "build-release": "npm run build:release && npm run tsc",
+    "build": "pnpm build:debug && pnpm tsc",
+    "build-release": "pnpm build:release && pnpm tsc",
     "tsc": "tsc -b",
     "posttsc": "shx cp lancedb/native.d.ts dist/native.d.ts",
     "lint-ci": "biome ci .",
@@ -86,7 +87,7 @@
     "lint-fix": "biome check --write . && biome format --write .",
     "prepublishOnly": "napi prepublish -t npm",
     "test": "jest --verbose",
-    "integration": "S3_TEST=1 npm run test",
+    "integration": "S3_TEST=1 pnpm test",
     "universal": "napi universalize",
     "version": "napi version"
   },
@@ -94,8 +95,8 @@
     "reflect-metadata": "^0.2.2"
   },
   "optionalDependencies": {
-    "@huggingface/transformers": "^3.0.2",
-    "openai": "^4.29.2"
+    "@huggingface/transformers": "3.0.2",
+    "openai": "4.29.2"
   },
   "peerDependencies": {
     "apache-arrow": ">=15.0.0 <=18.1.0"

nodejs/pnpm-workspace.yaml

@@ -0,0 +1,18 @@
+# Flat node_modules layout. The @napi-rs/cli build step fails to locate
+# the cdylib artifact under pnpm's isolated layout; the hoisted linker
+# mirrors npm's structure and unblocks the native build.
+nodeLinker: hoisted
+
+# Block resolution of versions less than 24h old (Shai-Hulud window).
+# This is the pnpm 11 default but pinned here so it's visible to
+# reviewers and survives a future pnpm major flipping the default.
+minimumReleaseAge: 1440
+
+# Fail install if a transitive dep tries to run an unapproved script.
+strictDepBuilds: true
+
+allowBuilds:
+  '@biomejs/biome': true
+  onnxruntime-node: true
+  protobufjs: true
+  sharp: true