File size: 6,560 Bytes
5ef6e9d | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 | # ============================================================================
# SECURITY: Minimum release age for npm packages (supply-chain attack defense)
# ============================================================================
#
# This setting requires that any npm package version must have been published
# for at least 1 day (1440 minutes) before pnpm will allow installing it.
# This is a critical defense against supply-chain attacks. In most cases,
# malicious npm releases are discovered and pulled within hours, so a 1-day
# delay provides a strong safety buffer.
#
# DO NOT DISABLE THIS SETTING. Removing or setting it to 0 is considered
# extremely dangerous and leaves the entire workspace vulnerable to supply-
# chain attacks, which have been the #1 vector for npm ecosystem compromises.
#
# If you absolutely need to install a package before the 1-day window has
# passed (e.g. an urgent security bugfix), you can add it to the
# `minimumReleaseAgeExclude` allowlist below. Only consider doing this for
# packages released by trusted organizations with an impeccable security
# posture (e.g. Replit packsges, react from Meta, typescript from Microsoft). Even then,
# remove the exclusion once the 1-day window has passed.
#
# Example:
# minimumReleaseAgeExclude:
# - react
# - typescript
#
# ============================================================================
minimumReleaseAge: 1440
minimumReleaseAgeExclude:
# Exclude @replit scoped packages from the minimum release age check.
# These are published by Replit and trusted — the supply-chain attack vector
# this setting guards against does not apply to our own packages.
- '@replit/*'
- stripe-replit-sync
packages:
- artifacts/*
- lib/*
- lib/integrations/*
- scripts
catalog:
'@replit/vite-plugin-cartographer': ^0.5.1
'@replit/vite-plugin-dev-banner': ^0.1.1
'@replit/vite-plugin-runtime-error-modal': ^0.0.6
'@tailwindcss/vite': ^4.1.14
'@tanstack/react-query': ^5.90.21
'@types/node': ^25.3.3
'@types/react': ^19.2.0
'@types/react-dom': ^19.2.0
'@vitejs/plugin-react': ^5.0.4
class-variance-authority: ^0.7.1
clsx: ^2.1.1
drizzle-orm: ^0.45.1
framer-motion: ^12.23.24
lucide-react: ^0.545.0
# Must be this exact version because expo requires it
react: 19.1.0
# Must be this exact version because expo requires it
react-dom: 19.1.0
tailwind-merge: ^3.3.1
tailwindcss: ^4.1.14
tsx: ^4.21.0
vite: ^7.3.0
zod: ^3.25.76
autoInstallPeers: false
onlyBuiltDependencies:
- '@swc/core'
- esbuild
- msw
- unrs-resolver
overrides:
# replit uses linux-x64 only, we can exclude all other platforms
"esbuild>@esbuild/darwin-arm64": "-"
"esbuild>@esbuild/darwin-x64": "-"
"esbuild>@esbuild/freebsd-arm64": "-"
"esbuild>@esbuild/freebsd-x64": "-"
"esbuild>@esbuild/linux-arm": "-"
"esbuild>@esbuild/linux-arm64": "-"
"esbuild>@esbuild/linux-ia32": "-"
"esbuild>@esbuild/linux-loong64": "-"
"esbuild>@esbuild/linux-mips64el": "-"
"esbuild>@esbuild/linux-ppc64": "-"
"esbuild>@esbuild/linux-riscv64": "-"
"esbuild>@esbuild/linux-s390x": "-"
"esbuild>@esbuild/netbsd-arm64": "-"
"esbuild>@esbuild/netbsd-x64": "-"
"esbuild>@esbuild/openbsd-arm64": "-"
"esbuild>@esbuild/openbsd-x64": "-"
"esbuild>@esbuild/sunos-x64": "-"
"esbuild>@esbuild/win32-arm64": "-"
"esbuild>@esbuild/win32-ia32": "-"
"esbuild>@esbuild/win32-x64": "-"
"esbuild>@esbuild/aix-ppc64": '-'
"esbuild>@esbuild/android-arm": '-'
"esbuild>@esbuild/android-arm64": '-'
"esbuild>@esbuild/android-x64": '-'
"esbuild>@esbuild/openharmony-arm64": '-'
"lightningcss>lightningcss-android-arm64": "-"
"lightningcss>lightningcss-darwin-arm64": "-"
"lightningcss>lightningcss-darwin-x64": "-"
"lightningcss>lightningcss-freebsd-x64": "-"
"lightningcss>lightningcss-linux-arm-gnueabihf": "-"
"lightningcss>lightningcss-linux-arm64-gnu": "-"
"lightningcss>lightningcss-linux-arm64-musl": "-"
"lightningcss>lightningcss-linux-x64-musl": "-"
"lightningcss>lightningcss-win32-arm64-msvc": "-"
"lightningcss>lightningcss-win32-x64-msvc": "-"
"@tailwindcss/oxide>@tailwindcss/oxide-android-arm64": "-"
"@tailwindcss/oxide>@tailwindcss/oxide-darwin-arm64": "-"
"@tailwindcss/oxide>@tailwindcss/oxide-darwin-x64": "-"
"@tailwindcss/oxide>@tailwindcss/oxide-freebsd-x64": "-"
"@tailwindcss/oxide>@tailwindcss/oxide-linux-arm-gnueabihf": "-"
"@tailwindcss/oxide>@tailwindcss/oxide-linux-arm64-gnu": "-"
"@tailwindcss/oxide>@tailwindcss/oxide-linux-arm64-musl": "-"
"@tailwindcss/oxide>@tailwindcss/oxide-win32-arm64-msvc": "-"
"@tailwindcss/oxide>@tailwindcss/oxide-win32-x64-msvc": "-"
"@tailwindcss/oxide>@tailwindcss/oxide-linux-x64-musl": "-"
"rollup>@rollup/rollup-android-arm-eabi": "-"
"rollup>@rollup/rollup-android-arm64": "-"
"rollup>@rollup/rollup-darwin-arm64": "-"
"rollup>@rollup/rollup-darwin-x64": "-"
"rollup>@rollup/rollup-freebsd-arm64": "-"
"rollup>@rollup/rollup-freebsd-x64": "-"
"rollup>@rollup/rollup-linux-arm-gnueabihf": "-"
"rollup>@rollup/rollup-linux-arm-musleabihf": "-"
"rollup>@rollup/rollup-linux-arm64-gnu": "-"
"rollup>@rollup/rollup-linux-arm64-musl": "-"
"rollup>@rollup/rollup-linux-loong64-gnu": "-"
"rollup>@rollup/rollup-linux-loong64-musl": "-"
"rollup>@rollup/rollup-linux-ppc64-gnu": "-"
"rollup>@rollup/rollup-linux-ppc64-musl": "-"
"rollup>@rollup/rollup-linux-riscv64-gnu": "-"
"rollup>@rollup/rollup-linux-riscv64-musl": "-"
"rollup>@rollup/rollup-linux-s390x-gnu": "-"
"rollup>@rollup/rollup-linux-x64-musl": "-"
"rollup>@rollup/rollup-openbsd-x64": "-"
"rollup>@rollup/rollup-openharmony-arm64": "-"
"rollup>@rollup/rollup-win32-arm64-msvc": "-"
"rollup>@rollup/rollup-win32-ia32-msvc": "-"
"rollup>@rollup/rollup-win32-x64-gnu": "-"
"rollup>@rollup/rollup-win32-x64-msvc": "-"
"@expo/ngrok-bin>@expo/ngrok-bin-darwin-arm64": "-"
"@expo/ngrok-bin>@expo/ngrok-bin-darwin-x64": "-"
"@expo/ngrok-bin>@expo/ngrok-bin-freebsd-ia32": "-"
"@expo/ngrok-bin>@expo/ngrok-bin-freebsd-x64": "-"
"@expo/ngrok-bin>@expo/ngrok-bin-linux-arm64": "-"
"@expo/ngrok-bin>@expo/ngrok-bin-linux-arm": "-"
"@expo/ngrok-bin>@expo/ngrok-bin-linux-ia32": "-"
"@expo/ngrok-bin>@expo/ngrok-bin-sunos-x64": "-"
"@expo/ngrok-bin>@expo/ngrok-bin-win32-ia32": "-"
"@expo/ngrok-bin>@expo/ngrok-bin-win32-x64": "-"
# drizzle-kit uses esbuild internally on an older version that's vulnerable, this overrides it
"@esbuild-kit/esm-loader": "npm:tsx@^4.21.0"
esbuild: "0.27.3" |