deps: remove NPM lockfile and harden PNPM security rules

[ondrej-langr]

The supply chain attacks happen more and more. PNPM offers some options that mitigate the attacks a lot. This change upgrades PNPM to latest and applies their recommendations about security settings - blockExoticSubdeps, minimumReleaseAge, trustPolicy, trustPolicyExclude and allowBuilds

Summary by CodeRabbit

Release Notes

• Chores
  • Updated Redux Toolkit to the latest available version for improved performance and bug fixes.
  • Upgraded package manager to the latest stable release for enhanced tooling.
  • Enhanced security configuration with stricter dependency management and trust policies to improve project stability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fe698ee5-83fd-4779-a150-ba2e7168954b

📥 Commits

Reviewing files that changed from the base of the PR and between 8c1636d and 9e6fb0e.

⛔ Files ignored due to path filters (2)

• package-lock.json is excluded by !**/package-lock.json
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• apps/start/package.json
• package.json
• pnpm-workspace.yaml

---

📝 Walkthrough

Walkthrough

This PR updates the workspace package manager from pnpm 10.6.2 to 11.1.2, introduces security essentials policies to restrict exotic dependencies and enforce release age requirements, and bumps @reduxjs/toolkit from 2.8.2 to 2.11.2 in the starter application.

Changes

Workspace & Dependency Configuration Updates

Layer / File(s)	Summary
pnpm version upgrade and workspace security essentials package.json, pnpm-workspace.yaml	Root packageManager field updated to [email protected]; workspace security essentials block added to restrict exotic subdependencies (blockExoticSubdeps: true), enforce 2-day minimum release age (minimumReleaseAge: 2880), apply no-downgrade trust policy, whitelist specific package versions, and allow builds for @biomejs/biome, Prisma packages, @tailwindcss/oxide, sharp, and esbuild.
@reduxjs/toolkit dependency update apps/start/package.json	@reduxjs/toolkit dependency bumped from ^2.8.2 to ^2.11.2 with end-of-file formatting adjustment.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A pnpm hop from ten to eleven,
Security shields in workspace heaven,
Redux grows stronger, two-eight to twice-one,
Dependencies dance—the updates are done! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: removing NPM lockfile and hardening PNPM security rules with specific configurations like blockExoticSubdeps, minimumReleaseAge, and trustPolicy.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}