From 0f3e5d9000d3cf666b08a98a12feed523acb9f6a Mon Sep 17 00:00:00 2001
From: Fro Bot <fro-bot@users.noreply.github.com>
Date: Sun, 24 May 2026 06:52:44 +0000
Subject: [PATCH] chore(deps): move pnpm overrides to pnpm-workspace.yaml

pnpm 11.2.0 stopped reading the `pnpm` field from package.json,
silently disabling all eight security-floor overrides. The warning
surfaced during the daily autoheal validation:

  [WARN] The "pnpm" field in package.json is no longer read by pnpm.
  The following keys were ignored: "pnpm.overrides".

The stale lockfile still resolved transitive packages above the
floors, but a fresh install or Renovate resolver run could drift
below them. This restores enforcement by moving the block into
`pnpm-workspace.yaml` per current pnpm settings docs.

Refs: https://pnpm.io/settings
---
 package.json        | 14 +-------------
 pnpm-lock.yaml      | 16 +++++++++++++---
 pnpm-workspace.yaml | 10 ++++++++++
 3 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/package.json b/package.json
index b5c38e643..69f50d2ef 100644
--- a/package.json
+++ b/package.json
@@ -50,17 +50,5 @@
     "typescript": "6.0.3",
     "vitest": "4.1.4"
   },
-  "packageManager": "pnpm@11.2.0",
-  "pnpm": {
-    "overrides": {
-      "ajv@8": "8.20.0",
-      "brace-expansion": ">=5.0.5",
-      "fast-uri": ">=3.1.2",
-      "flatted": ">=3.4.2",
-      "minimatch": ">=10.2.3",
-      "picomatch": ">=4.0.4",
-      "undici": ">=7.24.0",
-      "yaml": ">=2.8.3"
-    }
-  }
+  "packageManager": "pnpm@11.2.0"
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 2214dec31..3325b1e2a 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -4,6 +4,16 @@ settings:
   autoInstallPeers: true
   excludeLinksFromLockfile: false
 
+overrides:
+  ajv@8: 8.20.0
+  brace-expansion: '>=5.0.5'
+  fast-uri: '>=3.1.2'
+  flatted: '>=3.4.2'
+  minimatch: '>=10.2.3'
+  picomatch: '>=4.0.4'
+  undici: '>=7.24.0'
+  yaml: '>=2.8.3'
+
 importers:
 
   .:
@@ -15,7 +25,7 @@ importers:
         specifier: ^22.0.1
         version: 22.0.1
       yaml:
-        specifier: ^2.6.0
+        specifier: '>=2.8.3'
         version: 2.9.0
     devDependencies:
       '@bfra.me/eslint-config':
@@ -1196,7 +1206,7 @@ packages:
     resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
     engines: {node: '>=12.0.0'}
     peerDependencies:
-      picomatch: ^3 || ^4
+      picomatch: '>=4.0.4'
     peerDependenciesMeta:
       picomatch:
         optional: true
@@ -1997,7 +2007,7 @@ packages:
       sugarss: ^5.0.0
       terser: ^5.16.0
       tsx: ^4.8.1
-      yaml: ^2.4.2
+      yaml: '>=2.8.3'
     peerDependenciesMeta:
       '@types/node':
         optional: true
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index f1584de9e..2daf4483c 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -5,6 +5,16 @@ onlyBuiltDependencies:
   - esbuild
   - unrs-resolver
 
+overrides:
+  ajv@8: 8.20.0
+  brace-expansion: '>=5.0.5'
+  fast-uri: '>=3.1.2'
+  flatted: '>=3.4.2'
+  minimatch: '>=10.2.3'
+  picomatch: '>=4.0.4'
+  undici: '>=7.24.0'
+  yaml: '>=2.8.3'
+
 savePrefix: ''
 
 shamefullyHoist: true