7fd8598b8c
Strips the .replit/.replitignore files, replit.md (renamed to README.md), the @replit/* vite plugins from cra-app and mockup-sandbox, the @replit catalog/exclusion entries from pnpm-workspace.yaml, the linux-x64-only platform overrides (Replit-specific optimization), and inline @replit comment markers. Also regenerates pnpm-lock.yaml so the project can be installed and built on any platform. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
69 lines
2.3 KiB
YAML
69 lines
2.3 KiB
YAML
# ============================================================================
|
|
# SECURITY: Minimum release age for npm packages (supply-chain attack defense)
|
|
# ============================================================================
|
|
#
|
|
# This setting requires that any npm package version must have been published
|
|
# for at least 1 day (1440 minutes) before pnpm will allow installing it.
|
|
# This is a critical defense against supply-chain attacks. In most cases,
|
|
# malicious npm releases are discovered and pulled within hours, so a 1-day
|
|
# delay provides a strong safety buffer.
|
|
#
|
|
# DO NOT DISABLE THIS SETTING. Removing or setting it to 0 is considered
|
|
# extremely dangerous and leaves the entire workspace vulnerable to supply-
|
|
# chain attacks, which have been the #1 vector for npm ecosystem compromises.
|
|
#
|
|
# If you absolutely need to install a package before the 1-day window has
|
|
# passed (e.g. an urgent security bugfix), you can add it to the
|
|
# `minimumReleaseAgeExclude` allowlist below. Only consider doing this for
|
|
# packages released by trusted organizations with an impeccable security
|
|
# posture (e.g. Replit packsges, react from Meta, typescript from Microsoft). Even then,
|
|
# remove the exclusion once the 1-day window has passed.
|
|
#
|
|
# Example:
|
|
# minimumReleaseAgeExclude:
|
|
# - react
|
|
# - typescript
|
|
#
|
|
# ============================================================================
|
|
minimumReleaseAge: 1440
|
|
|
|
packages:
|
|
- artifacts/*
|
|
- lib/*
|
|
- lib/integrations/*
|
|
- scripts
|
|
|
|
catalog:
|
|
'@tailwindcss/vite': ^4.1.14
|
|
'@tanstack/react-query': ^5.90.21
|
|
'@types/node': ^25.3.3
|
|
'@types/react': ^19.2.0
|
|
'@types/react-dom': ^19.2.0
|
|
'@vitejs/plugin-react': ^5.0.4
|
|
class-variance-authority: ^0.7.1
|
|
clsx: ^2.1.1
|
|
drizzle-orm: ^0.45.1
|
|
framer-motion: ^12.23.24
|
|
lucide-react: ^0.545.0
|
|
# Must be this exact version because expo requires it
|
|
react: 19.1.0
|
|
# Must be this exact version because expo requires it
|
|
react-dom: 19.1.0
|
|
tailwind-merge: ^3.3.1
|
|
tailwindcss: ^4.1.14
|
|
tsx: ^4.21.0
|
|
vite: ^7.3.0
|
|
zod: ^3.25.76
|
|
|
|
autoInstallPeers: false
|
|
|
|
onlyBuiltDependencies:
|
|
- '@swc/core'
|
|
- esbuild
|
|
- msw
|
|
- unrs-resolver
|
|
|
|
overrides:
|
|
# drizzle-kit uses esbuild internally on an older version that's vulnerable, this overrides it
|
|
"@esbuild-kit/esm-loader": "npm:tsx@^4.21.0"
|
|
esbuild: "0.27.3" |