Monorepo工作空间依赖治理（workspace-hoisting-隔离）最佳实践

核心要点为每个子包建立允许依赖白名单；禁止未声明与跨边界依赖。控制 hoisting 行为，关键依赖不进行提升或需显式允许。实现示例type Pkg = { name: string; deps: string[] } type Policy = { allow: Map<string, Set<string>>; noHoist: Set<string> } function declared(pkg: Pkg, dep: string): boolean { return pkg.deps.includes(dep) } function allowed(pkg: Pkg, dep: string, policy: Policy): boolean { const set = policy.allow.get(pkg.name) return !!set && set.has(dep) } function canHoist(dep: string, policy: Policy): boolean { return !policy.noHoist.has(dep) } function evaluate(pkg: Pkg, deps: string[], policy: Policy): { ok: boolean; errors: string[] } { const errors: string[] = [] for (const d of deps) { if (!declared(pkg, d)) errors.push(`undeclared:${pkg.name}:${d}`) if (!allowed(pkg, d, policy)) errors.push(`unallowed:${pkg.name}:${d}`) } return { ok: errors.length === 0 && deps.every(d => canHoist(d, policy)), errors } } 审计与运行治理对跨包访问与 hoist 清单进行审计；变更需审批与回归校验。生产构建按策略执行依赖隔离与不提升规则。