Registry configuration (e.g., .npmrc, .yarnrc.yml) must live at the monorepo root. Forbid .npmrc files inside workspace packages overriding registry auth or URL.
monorepo-hygienedependency-supply-chain+1
High
Enforce a single package manager via packageManager field
Root package.json must define the packageManager field (e.g., "pnpm@9.x") and the repo must not contain other lockfiles or tool config (e.g., yarn.lock, package-lock.json) conflicting with that choice.
monorepo-hygieneci-cd-build-hygiene+1
High
Forbid cross-package relative imports in JS/TS
In JS/TS workspaces, imports must use workspace package names (as defined in each package.json and exports) rather than relative paths crossing package boundaries.
monorepo-hygienemodule-architecture+1
High
Keep a single lockfile at the repo root
Permit exactly one lockfile at the monorepo root (pnpm-lock.yaml, yarn.lock, or package-lock.json). Forbid lockfiles inside workspace packages. Validate against PR changes and existing tree.
monorepo-hygienedependency-supply-chain+1
High
Require Changeset for publishable package changes
If a PR modifies a workspace with "private": false in its package.json, enforce a .changeset/*.md entry describing semver impact for each affected package.
monorepo-hygieneapi-contracts-versioning+1
High
Use go.work at repo root instead of replace in modules
Maintain a single go.work at the monorepo root listing all local modules via use directives. Forbid go.mod replace directives that point to sibling modules (e.g., ../pkg) in workspace modules.
monorepo-hygienemodule-architecture
Low
Central Package Management for .NET
Use Directory.Packages.props at the repo root to declare PackageVersion entries. Workspace .csproj files must reference packages without embedding Version attributes.
monorepo-hygienedependency-supply-chain+1
Low
Centralize Rust deps with workspace.dependencies
In the root Cargo.toml, define [workspace] members and manage shared versions under [workspace.dependencies]. Member Cargo.toml files must not pin versions for crates declared centrally.
monorepo-hygienedependency-supply-chain+1
Low
Enable TS project references for depended packages
When a TS package depends on another workspace package, tsconfig.json must set "composite": true and include a "references" entry to the dependency; root must aggregate paths via tsconfig.base.json if used.
monorepo-hygienemaintainability+1
Low
Gradle: define modules in settings.gradle and use version catalogs
List all included builds/modules in settings.gradle and manage versions via gradle/libs.versions.toml (version catalogs). Forbid hardcoded versions and repo declarations in module build.gradle files.
monorepo-hygieneci-cd-build-hygiene+1
Low
SBT: keep scalaVersion and versions centralized
Define scalaVersion and library versions in version.sbt or ThisBuild in build.sbt; modules must not override scalaVersion or pin conflicting dependency versions locally.
monorepo-hygienemaintainability+1
Low
Tighten workspace globs in pnpm-workspace.yaml
In pnpm-workspace.yaml, explicitly list workspace globs (e.g., "apps/", "packages/") and exclude build outputs (e.g., "/dist", "/build"). Forbid catch-all patterns like "*" or "".
monorepo-hygienemaintainability
Low
Turbo pipeline must declare dependencies and outputs
In turbo.json, each task must set dependsOn (e.g., "^build") and outputs (e.g., "dist/"). Require cache:true for build/test/lint pipelines unless explicitly justified.