HighFile-scope Plug & play

Disallow per-package registries and proxies

Registry configuration (e.g., .npmrc, .yarnrc.yml) must live at the monorepo root. Forbid .npmrc files inside workspace packages overriding registry auth or URL.

Add to Mesrai Open workspace

Why this matters

Single source of truth for registries reduces supply-chain and publishing mistakes.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

packages/ui/.npmrc
registry=https://registry.example.com/
//overrides root

Prefer

.npmrc
registry=https://registry.npmjs.org/
@acme:registry=https://npm.pkg.github.com

More snippets

Bad

packages/ui/.npmrc

Good

.npmrc
@scope:registry=https://npm.pkg.github.com

Related rules

From the same buckets as this rule.

High
Enforce a single package manager via packageManager field
Root package.json must define the packageManager field (e.g., "pnpm@9.x") and the repo must not contain other lockfiles or tool config (e.g., yarn.lock, package-lock.json) conflicting with that choice.
monorepo-hygieneci-cd-build-hygiene+1
High
Forbid cross-package relative imports in JS/TS
In JS/TS workspaces, imports must use workspace package names (as defined in each package.json and exports) rather than relative paths crossing package boundaries.
monorepo-hygienemodule-architecture+1
High
Keep a single lockfile at the repo root
Permit exactly one lockfile at the monorepo root (pnpm-lock.yaml, yarn.lock, or package-lock.json). Forbid lockfiles inside workspace packages. Validate against PR changes and existing tree.
monorepo-hygienedependency-supply-chain+1

Why this matters

Bad vs. good

More snippets

Related rules

Enforce a single package manager via packageManager field

Forbid cross-package relative imports in JS/TS

Keep a single lockfile at the repo root

Why this matters

Bad vs. good

More snippets

Related rules

Enforce a single package manager via packageManager field

Forbid cross-package relative imports in JS/TS

Keep a single lockfile at the repo root