vercel · eps1lon · Apr 9, 2026 · Apr 9, 2026
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -29,6 +29,8 @@ ignoredBuiltDependencies:
   - ssh2
   - unrs-resolver
   - wasm-pack
+# Keep security related settings in sync with pnpm-workspace.yaml written to
+# temporary fixture dirs in file://./test/lib/create-next-install.js
 blockExoticSubdeps: true
 minimumReleaseAge: 2880 # 48 hrs
 minimumReleaseAgeExclude:

diff --git a/test/lib/create-next-install.js b/test/lib/create-next-install.js
@@ -2,6 +2,7 @@ const os = require('os')
 const path = require('path')
 const execa = require('execa')
 const fs = require('fs-extra')
+const outdent = require('outdent')
 const childProcess = require('child_process')
 const { randomBytes } = require('crypto')
 const { linkPackages } =
@@ -190,6 +191,30 @@ async function createNextInstall({
         )
       )
 
+      // Propagate security relate settings from file://./../../pnpm-workspace.yaml
+      // TODO: Ensure tests with custom installCommand also include necessary pnpm
+      // configs for security related settings, and remove this workaround.
+      await fs.writeFile(
+        path.join(installDir, 'pnpm-workspace.yaml'),
+        outdent`
+          blockExoticSubdeps: true
+          minimumReleaseAge: 2880 # 48 hrs
+          minimumReleaseAgeExclude:
+            - '@next/*'
+            - '@turbo/*'
+            - '@vercel/*'
+            - '@workflow/*'
+            - babel-plugin-react-compiler
+            - next
+            - react
+            - react-dom
+            - react-is
+            - react-server-dom-*
+            - scheduler
+            - turbo
+        `
+      )
+
       if (beforeInstall !== undefined) {
         await rootSpan
           .traceChild('beforeInstall')