Volta Version Pinning Policy

This rule applies to files matching the patterns above.

# Volta Version Pinning Policy

## Rule
Every Node.js project MUST pin Node.js AND npm/Yarn versions in package.json using Volta. No .nvmrc, no .node-version files — package.json is the single source of truth.

## Format
```json
{
  "name": "my-project",
  "volta": {
    "node": "20.11.1",
    "npm": "10.4.0"
  }
}
```

## Requirements
1. **Pin Node version** — always specific (20.11.1, not 20)
2. **Pin npm or Yarn** — not just Node
3. **Use LTS for production** — even-numbered Node versions
4. **No .nvmrc files** — delete if present, pin in package.json
5. **Monorepo root only** — workspaces inherit from root

## Commands
```bash
# Pin versions
volta pin node@20     # Resolves to latest 20.x.x
volta pin npm@10

# Verify
cat package.json | jq .volta
```

## Good
```json
{
  "volta": {
    "node": "20.11.1",
    "npm": "10.4.0"
  }
}
```

## Bad
```
# .nvmrc file (not Volta)
20

# package.json with only Node pinned
{
  "volta": {
    "node": "20.11.1"
  }
}
// Missing npm version!
```