halfdomelabs · kingston · Jan 6, 2026 · Jan 6, 2026 · Jan 6, 2026 · Jan 6, 2026
diff --git a/.changeset/upgrade-pnpm-security-settings.md b/.changeset/upgrade-pnpm-security-settings.md
@@ -0,0 +1,5 @@
+---
+'@baseplate-dev/core-generators': patch
+---
+
+Upgrade pnpm to 10.27.0 and add `blockExoticSubdeps: true` to generated pnpm-workspace.yaml
diff --git a/examples/blog-with-auth/apps/admin/baseplate/generated/package.json b/examples/blog-with-auth/apps/admin/baseplate/generated/package.json
@@ -91,7 +91,7 @@
   },
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/blog-with-auth/apps/admin/package.json b/examples/blog-with-auth/apps/admin/package.json
@@ -92,7 +92,7 @@
   },
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/blog-with-auth/apps/backend/baseplate/generated/package.json b/examples/blog-with-auth/apps/backend/baseplate/generated/package.json
@@ -92,7 +92,7 @@
   },
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/blog-with-auth/apps/backend/package.json b/examples/blog-with-auth/apps/backend/package.json
@@ -92,7 +92,7 @@
   },
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/blog-with-auth/baseplate/generated/package.json b/examples/blog-with-auth/baseplate/generated/package.json
@@ -29,10 +29,10 @@
     "prettier-plugin-packagejson": "2.5.19",
     "turbo": "2.5.0"
   },
-  "packageManager": "pnpm@10.18.3",
+  "packageManager": "pnpm@10.27.0",
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/blog-with-auth/baseplate/generated/pnpm-workspace.yaml b/examples/blog-with-auth/baseplate/generated/pnpm-workspace.yaml
@@ -1,8 +1,9 @@
 packages:
   - apps/*
   - packages/*
+blockExoticSubdeps: true
+linkWorkspacePackages: true
+minimumReleaseAge: 1440
 publishBranch: main
 savePrefix: ''
-linkWorkspacePackages: true
 saveWorkspaceProtocol: rolling
-minimumReleaseAge: 1440
diff --git a/examples/blog-with-auth/package.json b/examples/blog-with-auth/package.json
@@ -29,10 +29,10 @@
     "prettier-plugin-packagejson": "2.5.19",
     "turbo": "2.5.0"
   },
-  "packageManager": "pnpm@10.18.3",
+  "packageManager": "pnpm@10.27.0",
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/blog-with-auth/pnpm-lock.yaml b/examples/blog-with-auth/pnpm-lock.yaml
diff --git a/examples/blog-with-auth/pnpm-workspace.yaml b/examples/blog-with-auth/pnpm-workspace.yaml
@@ -1,8 +1,9 @@
 packages:
   - apps/*
   - packages/*
+blockExoticSubdeps: true
+linkWorkspacePackages: true
+minimumReleaseAge: 1440
 publishBranch: main
 savePrefix: ''
-linkWorkspacePackages: true
 saveWorkspaceProtocol: rolling
-minimumReleaseAge: 1440
diff --git a/examples/todo-with-auth0/apps/admin/baseplate/generated/package.json b/examples/todo-with-auth0/apps/admin/baseplate/generated/package.json
@@ -95,7 +95,7 @@
   },
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/todo-with-auth0/apps/admin/package.json b/examples/todo-with-auth0/apps/admin/package.json
@@ -95,7 +95,7 @@
   },
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/todo-with-auth0/apps/backend/baseplate/generated/package.json b/examples/todo-with-auth0/apps/backend/baseplate/generated/package.json
@@ -104,7 +104,7 @@
   },
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/todo-with-auth0/apps/backend/package.json b/examples/todo-with-auth0/apps/backend/package.json
@@ -105,7 +105,7 @@
   },
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/todo-with-auth0/apps/web/baseplate/generated/package.json b/examples/todo-with-auth0/apps/web/baseplate/generated/package.json
@@ -91,7 +91,7 @@
   },
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/todo-with-auth0/apps/web/package.json b/examples/todo-with-auth0/apps/web/package.json
@@ -91,7 +91,7 @@
   },
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/todo-with-auth0/baseplate/generated/package.json b/examples/todo-with-auth0/baseplate/generated/package.json
@@ -29,10 +29,10 @@
     "prettier-plugin-packagejson": "2.5.19",
     "turbo": "2.5.0"
   },
-  "packageManager": "pnpm@10.18.3",
+  "packageManager": "pnpm@10.27.0",
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/todo-with-auth0/baseplate/generated/pnpm-workspace.yaml b/examples/todo-with-auth0/baseplate/generated/pnpm-workspace.yaml
@@ -1,8 +1,9 @@
 packages:
   - apps/*
   - packages/*
+blockExoticSubdeps: true
+linkWorkspacePackages: true
+minimumReleaseAge: 1440
 publishBranch: main
 savePrefix: ''
-linkWorkspacePackages: true
 saveWorkspaceProtocol: rolling
-minimumReleaseAge: 1440
diff --git a/examples/todo-with-auth0/package.json b/examples/todo-with-auth0/package.json
@@ -29,10 +29,10 @@
     "prettier-plugin-packagejson": "2.5.19",
     "turbo": "2.5.0"
   },
-  "packageManager": "pnpm@10.18.3",
+  "packageManager": "pnpm@10.27.0",
   "engines": {
     "node": "^22.18.0",
-    "pnpm": "^10.18.0"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/examples/todo-with-auth0/pnpm-workspace.yaml b/examples/todo-with-auth0/pnpm-workspace.yaml
@@ -1,8 +1,9 @@
 packages:
   - apps/*
   - packages/*
+blockExoticSubdeps: true
+linkWorkspacePackages: true
+minimumReleaseAge: 1440
 publishBranch: main
 savePrefix: ''
-linkWorkspacePackages: true
 saveWorkspaceProtocol: rolling
-minimumReleaseAge: 1440
diff --git a/mise.toml b/mise.toml
@@ -2,4 +2,4 @@ min_version = "2025.8.14"
 
 [tools]
 node = "22.18.0"
-pnpm = "10.18.3"
+pnpm = "10.27.0"
diff --git a/package.json b/package.json
@@ -70,10 +70,10 @@
     "vitest": "catalog:",
     "workspace-meta": "0.1.4"
   },
-  "packageManager": "pnpm@10.18.3",
+  "packageManager": "pnpm@10.27.0",
   "engines": {
     "node": "^22.0.0",
-    "pnpm": "^10.18.3"
+    "pnpm": "^10.27.0"
   },
   "volta": {
     "node": "22.18.0"

diff --git a/packages/core-generators/src/constants/node.ts b/packages/core-generators/src/constants/node.ts
@@ -1,2 +1,2 @@
 export const NODE_VERSION = '22.18.0';
-export const PNPM_VERSION = '10.18.3';
+export const PNPM_VERSION = '10.27.0';
diff --git a/packages/core-generators/src/generators/node/pnpm-workspace/pnpm-workspace.generator.ts b/packages/core-generators/src/generators/node/pnpm-workspace/pnpm-workspace.generator.ts
@@ -29,20 +29,23 @@ export const pnpmWorkspaceGenerator = createGenerator({
           build: (builder) => {
             const yamlContent = stringify({
               packages: descriptor.packages,
-              // prevents publish from any branch other than main
-              publishBranch: 'main',
-              // saves exact versions of dependencies by default
-              savePrefix: '',
+              // blocks dependencies from resolving to exotic (non-npm) subdependencies
+              // unless explicitly allowed, preventing supply chain attacks via git/http deps
+              blockExoticSubdeps: true,
               // ensures we use locally linked packages when available
               linkWorkspacePackages: true,
-              // defaults to saving as workspace:*
-              saveWorkspaceProtocol: 'rolling',
               // security setting to delay installation of newly released dependencies
               // to reduce risk of installing compromised packages. Popular packages that are
               // successfully attacked are often discovered and removed from the registry
               // within an hour. Setting to 1440 minutes (24 hours) ensures only packages
               // released at least one day ago can be installed.
               minimumReleaseAge: 1440,
+              // prevents publish from any branch other than main
+              publishBranch: 'main',
+              // saves exact versions of dependencies by default
+              savePrefix: '',
+              // defaults to saving as workspace:*
+              saveWorkspaceProtocol: 'rolling',
             });
 
             builder.writeFile({

diff --git a/packages/project-builder-server/package.json b/packages/project-builder-server/package.json
@@ -63,7 +63,7 @@
     "@trpc/server": "^11.8.0",
     "chalk": "5.3.0",
     "change-case": "5.4.4",
-    "chokidar": "4.0.3",
+    "chokidar": "5.0.0",
     "diff": "^8.0.2",
     "es-toolkit": "1.31.0",
     "execa": "9.3.0",

diff --git a/packages/project-builder-web/package.json b/packages/project-builder-web/package.json
@@ -97,7 +97,7 @@
     "@types/node": "catalog:",
     "@types/semver": "^7.5.0",
     "@vitejs/plugin-react": "catalog:",
-    "chokidar": "4.0.3",
+    "chokidar": "5.0.0",
     "eslint": "catalog:",
     "mime": "^4.0.3",
     "prettier": "catalog:",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -31,6 +31,8 @@ ignoredBuiltDependencies:
   - ssh2
   - unrs-resolver
 
+blockExoticSubdeps: true
+
 linkWorkspacePackages: true
 
 minimumReleaseAge: 1440