enableScripts: false is a great default, but in a pnpm workspace monorepo it needs some tuning — a few packages legitimately rely on postinstall (esbuild, sharp, etc. downloading platform binaries).

What worked for us was whitelisting just those in onlyBuiltDependencies. Everything else stays locked down.

The age gate is a nice extra layer. I do wonder how well it holds up for fast-moving deps where you actually want the latest patch though.