chore(deps): tighten pnpm install safeguards

[chenjiahan]

Summary

This PR tightens pnpm workspace install safeguards by requiring reviewed dependency build scripts and adding a one-day minimum release age for installed packages. Rspack ecosystem packages are excluded from the release-age delay so workspace and ecosystem packages can still be consumed without waiting.

Use shared Renovate config: https://github.com/rstackjs/renovate/blob/main/security.json

Checklist

• Tests updated (or not required).
• Documentation updated (or not required).

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Tightens pnpm install safety for the workspace by enforcing stricter dependency build-script rules and delaying installs of newly released packages, with exclusions for the Rspack ecosystem.

Changes:

• Enables strict dependency build-script enforcement (strictDepBuilds: true) and introduces an allowBuilds policy.
• Adds a 1-day minimum release age for packages (minimumReleaseAge: 1440) with exclusions for scoped ecosystem packages.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

📦 Binary Size-limit

Comparing ce8e200 to chore(deps): update dependency mermaid to v11.15.0 [security] (#13997) by renovate[bot]

🙈 Size remains the same at 61.97MB

[github-actions]

Rsdoctor Bundle Diff Analysis

Found 6 projects in monorepo, 6 projects with changes.

📊 Quick Summary

Project	Total Size	Change
popular-libs	1.7 MB	-
react-10k	5.7 MB	-
react-1k	826.3 KB	-
react-5k	2.7 MB	-
rome	1.6 MB	-
ui-components	4.8 MB	-

📋 Detailed Reports (Click to expand)

📁 popular-libs

Path: ../build-tools-performance/cases/popular-libs/dist/rsdoctor-data.json

⚠️ No baseline data found - Unable to perform comparison analysis

Metric	Current	Baseline	Change
📊 Total Size	1.7 MB	-	-
📄 JavaScript	1.7 MB	-	-
🎨 CSS	0 B	-	-
🌐 HTML	289.0 B	-	-
📁 Other Assets	0 B	-	-

📁 react-10k

Path: ../build-tools-performance/cases/react-10k/dist/rsdoctor-data.json

⚠️ No baseline data found - Unable to perform comparison analysis

Metric	Current	Baseline	Change
📊 Total Size	5.7 MB	-	-
📄 JavaScript	5.7 MB	-	-
🎨 CSS	21.0 B	-	-
🌐 HTML	328.0 B	-	-
📁 Other Assets	0 B	-	-

📁 react-1k

Path: ../build-tools-performance/cases/react-1k/dist/rsdoctor-data.json

⚠️ No baseline data found - Unable to perform comparison analysis

Metric	Current	Baseline	Change
📊 Total Size	826.3 KB	-	-
📄 JavaScript	826.0 KB	-	-
🎨 CSS	0 B	-	-
🌐 HTML	328.0 B	-	-
📁 Other Assets	0 B	-	-

📁 react-5k

Path: ../build-tools-performance/cases/react-5k/dist/rsdoctor-data.json

⚠️ No baseline data found - Unable to perform comparison analysis

Metric	Current	Baseline	Change
📊 Total Size	2.7 MB	-	-
📄 JavaScript	2.7 MB	-	-
🎨 CSS	21.0 B	-	-
🌐 HTML	328.0 B	-	-
📁 Other Assets	0 B	-	-

📁 rome

Path: ../build-tools-performance/cases/rome/dist/rsdoctor-data.json

⚠️ No baseline data found - Unable to perform comparison analysis

Metric	Current	Baseline	Change
📊 Total Size	1.6 MB	-	-
📄 JavaScript	1.6 MB	-	-
🎨 CSS	0 B	-	-
🌐 HTML	0 B	-	-
📁 Other Assets	0 B	-	-

📁 ui-components

Path: ../build-tools-performance/cases/ui-components/dist/rsdoctor-data.json

⚠️ No baseline data found - Unable to perform comparison analysis

Metric	Current	Baseline	Change
📊 Total Size	4.8 MB	-	-
📄 JavaScript	4.7 MB	-	-
🎨 CSS	107.0 KB	-	-
🌐 HTML	328.0 B	-	-
📁 Other Assets	0 B	-	-

Generated by Rsdoctor GitHub Action

[codspeed-hq]

Merging this PR will not alter performance

✅ 34 untouched benchmarks
⏩ 25 skipped benchmarks¹

---

_{Comparing chenjiahan/chore-workspace-config (ce8e200) with main (46dec16)}

Footnotes

1. 25 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩