feat: respect pnpm minimumReleaseAge from pnpm-workspace.yaml

When invoked as the pnpm/pnpx shim, walk up from cwd looking for pnpm-workspace.yaml (or a pnpm field in package.json) and use its minimumReleaseAge and minimumReleaseAgeExclude as the floor and exclusion list. Existing CLI args, env vars, and ~/.safe-chain/config.json still override, so the project's pnpm config can act as a single source of truth without forcing users to duplicate settings across two systems. Fixes #460 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 12:10:49 +00:00 · 2026-05-15 17:39:00 -04:00 · 2026-05-15 17:39:00 -04:00 · 8ac7c722b8
commit 8ac7c722b8
parent 65a8075b0e
7 changed files with 906 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -240,9 +240,20 @@ You can set the minimum package age through multiple sources (in order of priori
   }
   ```

+4. **pnpm workspace config** (only when invoked as the `pnpm` or `pnpx` shim):
+
+   Safe Chain reads `minimumReleaseAge` (in minutes — see [pnpm settings](https://pnpm.io/settings#minimumreleaseage)) from the nearest `pnpm-workspace.yaml`, falling back to a `pnpm` field in `package.json`. Any of the higher-priority sources above override it.
+
+   ```yaml
+   # pnpm-workspace.yaml
+   minimumReleaseAge: 1440 # 24 hours
+   minimumReleaseAgeExclude:
+     - "@aikidosec/*"
+   ```
+
 ### Excluding Packages

-Exclude trusted packages from minimum age filtering via environment variable or config file (both are merged). Use `@scope/*` to trust all packages from an organization:
+Exclude trusted packages from minimum age filtering via environment variable or config file (both are merged). When invoked as `pnpm`/`pnpx`, `minimumReleaseAgeExclude` from `pnpm-workspace.yaml` is also merged in. Use `@scope/*` to trust all packages from an organization:

 ```shell
 export SAFE_CHAIN_MINIMUM_PACKAGE_AGE_EXCLUSIONS="@aikidosec/*"