microsoft · octogonz · Apr 16, 2026 · Apr 16, 2026
diff --git a/websites/api.rushstack.io/data/api_nav.json b/websites/api.rushstack.io/data/api_nav.json
@@ -6452,6 +6452,21 @@
               "label": "strictPeerDependencies",
               "id": "pages/rush-lib.pnpmoptionsconfiguration.strictpeerdependencies"
             },
+            {
+              "type": "doc",
+              "label": "trustPolicy",
+              "id": "pages/rush-lib.pnpmoptionsconfiguration.trustpolicy"
+            },
+            {
+              "type": "doc",
+              "label": "trustPolicyExclude",
+              "id": "pages/rush-lib.pnpmoptionsconfiguration.trustpolicyexclude"
+            },
+            {
+              "type": "doc",
+              "label": "trustPolicyIgnoreAfterMinutes",
+              "id": "pages/rush-lib.pnpmoptionsconfiguration.trustpolicyignoreafterminutes"
+            },
             {
               "type": "doc",
               "label": "unsupportedPackageJsonSettings",
@@ -6489,6 +6504,11 @@
           "label": "PnpmStoreOptions",
           "id": "pages/rush-lib.pnpmstoreoptions"
         },
+        {
+          "type": "doc",
+          "label": "PnpmTrustPolicy",
+          "id": "pages/rush-lib.pnpmtrustpolicy"
+        },
         {
           "type": "category",
           "label": "ProjectChangeAnalyzer",
@@ -15287,6 +15307,11 @@
               "label": "pnpmInstallFolder",
               "id": "pages/package-extractor.iextractorsubspace.pnpminstallfolder"
             },
+            {
+              "type": "doc",
+              "label": "pnpmNodeModulesHoistingEnabled",
+              "id": "pages/package-extractor.iextractorsubspace.pnpmnodemoduleshoistingenabled"
+            },
             {
               "type": "doc",
               "label": "subspaceName",

diff --git a/websites/api.rushstack.io/docs/pages/package-extractor.iextractorsubspace.md b/websites/api.rushstack.io/docs/pages/package-extractor.iextractorsubspace.md
@@ -59,6 +59,25 @@ string
 _(Optional)_ The folder where the PNPM "node\_modules" folder is located. This is used to resolve packages linked to the PNPM virtual store.
 
 
+</td></tr>
+<tr><td>
+
+[pnpmNodeModulesHoistingEnabled?](./package-extractor.iextractorsubspace.pnpmnodemoduleshoistingenabled.md)
+
+
+</td><td>
+
+
+</td><td>
+
+boolean
+
+
+</td><td>
+
+_(Optional)_ Whether PNPM hoisting is enabled for this subspace. When set to `false`<></>, the extractor will skip looking for hoisted packages in the PNPM virtual store, since no hoisting symlinks will exist. Default is `true`<></>.
+
+
 </td></tr>
 <tr><td>
 

diff --git a/...cs/pages/package-extractor.iextractorsubspace.pnpmnodemoduleshoistingenabled.md b/...cs/pages/package-extractor.iextractorsubspace.pnpmnodemoduleshoistingenabled.md
@@ -0,0 +1,19 @@
+---
+hide_title: true
+custom_edit_url: null
+pagination_prev: null
+pagination_next: null
+---
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [@rushstack/package-extractor](./package-extractor.md) &gt; [IExtractorSubspace](./package-extractor.iextractorsubspace.md) &gt; [pnpmNodeModulesHoistingEnabled](./package-extractor.iextractorsubspace.pnpmnodemoduleshoistingenabled.md)
+
+## IExtractorSubspace.pnpmNodeModulesHoistingEnabled property
+
+Whether PNPM hoisting is enabled for this subspace. When set to `false`<></>, the extractor will skip looking for hoisted packages in the PNPM virtual store, since no hoisting symlinks will exist. Default is `true`<></>.
+
+**Signature:**
+
+```typescript
+pnpmNodeModulesHoistingEnabled?: boolean;
+```
diff --git a/websites/api.rushstack.io/docs/pages/rush-lib.md b/websites/api.rushstack.io/docs/pages/rush-lib.md
@@ -1296,6 +1296,17 @@ This represents the available PNPM store options
 </td><td>
 
 
+</td></tr>
+<tr><td>
+
+[PnpmTrustPolicy](./rush-lib.pnpmtrustpolicy.md)
+
+
+</td><td>
+
+Possible values for the `trustPolicy` setting in Rush's pnpm-config.json file.
+
+
 </td></tr>
 </tbody></table>
 
diff --git a/websites/api.rushstack.io/docs/pages/rush-lib.pnpmoptionsconfiguration.md b/websites/api.rushstack.io/docs/pages/rush-lib.pnpmoptionsconfiguration.md
@@ -522,6 +522,69 @@ boolean
 If true, then Rush will add the "--strict-peer-dependencies" option when invoking PNPM.
 
 
+</td></tr>
+<tr><td>
+
+[trustPolicy](./rush-lib.pnpmoptionsconfiguration.trustpolicy.md)
+
+
+</td><td>
+
+`readonly`
+
+
+</td><td>
+
+[PnpmTrustPolicy](./rush-lib.pnpmtrustpolicy.md) \| undefined
+
+
+</td><td>
+
+The trust policy controls whether pnpm should block installation of package versions where the trust level has decreased (e.g., a package previously published with provenance is now published without it). Setting this to `"no-downgrade"` enables the protection.
+
+
+</td></tr>
+<tr><td>
+
+[trustPolicyExclude](./rush-lib.pnpmoptionsconfiguration.trustpolicyexclude.md)
+
+
+</td><td>
+
+`readonly`
+
+
+</td><td>
+
+string\[\] \| undefined
+
+
+</td><td>
+
+List of package names or patterns that are excluded from the trust policy check. These packages will be allowed to install even if their trust level has decreased.
+
+
+</td></tr>
+<tr><td>
+
+[trustPolicyIgnoreAfterMinutes](./rush-lib.pnpmoptionsconfiguration.trustpolicyignoreafterminutes.md)
+
+
+</td><td>
+
+`readonly`
+
+
+</td><td>
+
+number \| undefined
+
+
+</td><td>
+
+The number of minutes after which pnpm will ignore trust level downgrades. Packages published longer ago than this threshold will not be blocked even if their trust level has decreased.
+
+
 </td></tr>
 <tr><td>
 

diff --git a/...es/api.rushstack.io/docs/pages/rush-lib.pnpmoptionsconfiguration.trustpolicy.md b/...es/api.rushstack.io/docs/pages/rush-lib.pnpmoptionsconfiguration.trustpolicy.md
@@ -0,0 +1,26 @@
+---
+hide_title: true
+custom_edit_url: null
+pagination_prev: null
+pagination_next: null
+---
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [@microsoft/rush-lib](./rush-lib.md) &gt; [PnpmOptionsConfiguration](./rush-lib.pnpmoptionsconfiguration.md) &gt; [trustPolicy](./rush-lib.pnpmoptionsconfiguration.trustpolicy.md)
+
+## PnpmOptionsConfiguration.trustPolicy property
+
+The trust policy controls whether pnpm should block installation of package versions where the trust level has decreased (e.g., a package previously published with provenance is now published without it). Setting this to `"no-downgrade"` enables the protection.
+
+**Signature:**
+
+```typescript
+readonly trustPolicy: PnpmTrustPolicy | undefined;
+```
+
+## Remarks
+
+(SUPPORTED ONLY IN PNPM 10.21.0 AND NEWER)
+
+PNPM documentation: https://pnpm.io/settings\#trustpolicy
+
diff --git a/...rushstack.io/docs/pages/rush-lib.pnpmoptionsconfiguration.trustpolicyexclude.md b/...rushstack.io/docs/pages/rush-lib.pnpmoptionsconfiguration.trustpolicyexclude.md
@@ -0,0 +1,28 @@
+---
+hide_title: true
+custom_edit_url: null
+pagination_prev: null
+pagination_next: null
+---
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [@microsoft/rush-lib](./rush-lib.md) &gt; [PnpmOptionsConfiguration](./rush-lib.pnpmoptionsconfiguration.md) &gt; [trustPolicyExclude](./rush-lib.pnpmoptionsconfiguration.trustpolicyexclude.md)
+
+## PnpmOptionsConfiguration.trustPolicyExclude property
+
+List of package names or patterns that are excluded from the trust policy check. These packages will be allowed to install even if their trust level has decreased.
+
+**Signature:**
+
+```typescript
+readonly trustPolicyExclude: string[] | undefined;
+```
+
+## Remarks
+
+(SUPPORTED ONLY IN PNPM 10.22.0 AND NEWER)
+
+PNPM documentation: https://pnpm.io/settings\#trustpolicyexclude
+
+Example: \["webpack", "react", "<></>@<></>myorg/\*"\]
+
diff --git a/...o/docs/pages/rush-lib.pnpmoptionsconfiguration.trustpolicyignoreafterminutes.md b/...o/docs/pages/rush-lib.pnpmoptionsconfiguration.trustpolicyignoreafterminutes.md
@@ -0,0 +1,26 @@
+---
+hide_title: true
+custom_edit_url: null
+pagination_prev: null
+pagination_next: null
+---
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [@microsoft/rush-lib](./rush-lib.md) &gt; [PnpmOptionsConfiguration](./rush-lib.pnpmoptionsconfiguration.md) &gt; [trustPolicyIgnoreAfterMinutes](./rush-lib.pnpmoptionsconfiguration.trustpolicyignoreafterminutes.md)
+
+## PnpmOptionsConfiguration.trustPolicyIgnoreAfterMinutes property
+
+The number of minutes after which pnpm will ignore trust level downgrades. Packages published longer ago than this threshold will not be blocked even if their trust level has decreased.
+
+**Signature:**
+
+```typescript
+readonly trustPolicyIgnoreAfterMinutes: number | undefined;
+```
+
+## Remarks
+
+(SUPPORTED ONLY IN PNPM 10.27.0 AND NEWER)
+
+PNPM documentation: https://pnpm.io/settings\#trustpolicyignoreafter
+
diff --git a/websites/api.rushstack.io/docs/pages/rush-lib.pnpmtrustpolicy.md b/websites/api.rushstack.io/docs/pages/rush-lib.pnpmtrustpolicy.md
@@ -0,0 +1,24 @@
+---
+hide_title: true
+custom_edit_url: null
+pagination_prev: null
+pagination_next: null
+---
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [@microsoft/rush-lib](./rush-lib.md) &gt; [PnpmTrustPolicy](./rush-lib.pnpmtrustpolicy.md)
+
+## PnpmTrustPolicy type
+
+Possible values for the `trustPolicy` setting in Rush's pnpm-config.json file.
+
+**Signature:**
+
+```typescript
+export type PnpmTrustPolicy = 'no-downgrade' | 'off';
+```
+
+## Remarks
+
+These values correspond to PNPM's `trust-policy` setting, which is documented here: [https://pnpm.io/settings\#trustpolicy](https://pnpm.io/settings#trustpolicy)
+