HighPR-scope Plug & play

Enforce a single package manager via packageManager field

Root package.json must define the packageManager field (e.g., "pnpm@9.x") and the repo must not contain other lockfiles or tool config (e.g., yarn.lock, package-lock.json) conflicting with that choice.

Add to Mesrai Open workspace

Why this matters

Guarantees consistent tooling and cache behavior across all workspaces.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

{
 "name": "repo",
 "packageManager": "npm@10.6.0"
}
// and PR adds yarn.lock

Prefer

{
 "name": "repo",
 "packageManager": "pnpm@9.4.0"
}
// only pnpm-lock.yaml at root

More snippets

Good

package.json { "packageManager": "pnpm@9.4.0" }

Bad

yarn.lock

Related rules

From the same buckets as this rule.

High
Disallow per-package registries and proxies
Registry configuration (e.g., .npmrc, .yarnrc.yml) must live at the monorepo root. Forbid .npmrc files inside workspace packages overriding registry auth or URL.
monorepo-hygienedependency-supply-chain+1
High
Forbid cross-package relative imports in JS/TS
In JS/TS workspaces, imports must use workspace package names (as defined in each package.json and exports) rather than relative paths crossing package boundaries.
monorepo-hygienemodule-architecture+1
High
Keep a single lockfile at the repo root
Permit exactly one lockfile at the monorepo root (pnpm-lock.yaml, yarn.lock, or package-lock.json). Forbid lockfiles inside workspace packages. Validate against PR changes and existing tree.
monorepo-hygienedependency-supply-chain+1

Why this matters

Bad vs. good

More snippets

Related rules

Disallow per-package registries and proxies

Forbid cross-package relative imports in JS/TS

Keep a single lockfile at the repo root

Why this matters

Bad vs. good

More snippets

Related rules

Disallow per-package registries and proxies

Forbid cross-package relative imports in JS/TS

Keep a single lockfile at the repo root