HighPR-scope Plug & play

Keep a single lockfile at the repo root

Permit exactly one lockfile at the monorepo root (pnpm-lock.yaml, yarn.lock, or package-lock.json). Forbid lockfiles inside workspace packages. Validate against PR changes and existing tree.

Add to Mesrai Open workspace

Why this matters

Root-only lockfiles avoid divergent dependency graphs and flaky builds in workspaces.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

{
 "changedFiles": [
 "packages/web/yarn.lock",
 "packages/api/package-lock.json"
 ]
}

Prefer

{
 "changedFiles": [
 "pnpm-lock.yaml",
 "packages/web/src/App.tsx"
 ]
}

More snippets

Bad

packages/app/yarn.lock

Good

pnpm-lock.yaml

Related rules

From the same buckets as this rule.

High
Disallow per-package registries and proxies
Registry configuration (e.g., .npmrc, .yarnrc.yml) must live at the monorepo root. Forbid .npmrc files inside workspace packages overriding registry auth or URL.
monorepo-hygienedependency-supply-chain+1
High
Enforce a single package manager via packageManager field
Root package.json must define the packageManager field (e.g., "pnpm@9.x") and the repo must not contain other lockfiles or tool config (e.g., yarn.lock, package-lock.json) conflicting with that choice.
monorepo-hygieneci-cd-build-hygiene+1
High
Forbid cross-package relative imports in JS/TS
In JS/TS workspaces, imports must use workspace package names (as defined in each package.json and exports) rather than relative paths crossing package boundaries.
monorepo-hygienemodule-architecture+1

Why this matters

Bad vs. good

More snippets

Related rules

Disallow per-package registries and proxies

Enforce a single package manager via packageManager field

Forbid cross-package relative imports in JS/TS

Why this matters

Bad vs. good

More snippets

Related rules

Disallow per-package registries and proxies

Enforce a single package manager via packageManager field

Forbid cross-package relative imports in JS/TS