deps: remove NPM lockfile and harden PNPM security rules

[ondrej-langr]

The supply chain attacks happen more and more. PNPM offers some options that mitigate the attacks a lot. This change upgrades PNPM to latest and applies their recommendations about security settings - blockExoticSubdeps, minimumReleaseAge, trustPolicy, trustPolicyExclude and allowBuilds

Summary by CodeRabbit

Release Notes

• Chores
  • Updated Redux Toolkit to the latest release for improved stability and performance.
  • Upgraded the project package manager to the latest stable release for better tooling.
  • Strengthened workspace security and dependency trust policies to reduce risky transitive dependencies and improve overall project stability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aff032bd-30e8-4e57-afb9-6860253e02f4

📥 Commits

Reviewing files that changed from the base of the PR and between 9e6fb0e and 8a43fce.

📒 Files selected for processing (1)

• apps/start/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/start/package.json

---

📝 Walkthrough

Walkthrough

Updates workspace package manager to pnpm@11.1.2, adds a workspace "Security essentials" block to pnpm-workspace.yaml, and bumps @reduxjs/toolkit in the starter app from ^2.8.2 to ^2.11.2.

Changes

Workspace & Dependency Configuration Updates

Layer / File(s)	Summary
pnpm version upgrade and workspace security essentials package.json, pnpm-workspace.yaml	Root packageManager updated to pnpm@11.1.2; pnpm-workspace.yaml gains a # Security essentials block configuring blockExoticSubdeps, minimumReleaseAge: 2880, no-downgrade trust policy, a trustPolicyExclude whitelist of package@version entries, and allowBuilds for selected packages.
@reduxjs/toolkit dependency update apps/start/package.json	@reduxjs/toolkit bumped from ^2.8.2 to ^2.11.2; minor end-of-file formatting adjustment.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I hopped through JSON, line by line,
pnpm climbed a stair to eleven fine,
Security blossoms in workspace light,
Redux stretched its limbs and feels just right.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: updating PNPM, removing the NPM lockfile, and hardening PNPM security rules through configuration. All major components of the changeset are reflected in the concise title.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lindesvard]

@ondrej-langr can you resolve the merge conflict and I'll merge this

[ondrej-langr]

sure thing

[ondrej-langr]

should be resolved now