Skip to content

Mitigate supply chain attacks with npmMinimalAgeGate and Lavamoat#88

Merged
jeffsmale90 merged 2 commits into
mainfrom
chore/upgrade-yarn-min-package-age-lavamoat
Oct 21, 2025
Merged

Mitigate supply chain attacks with npmMinimalAgeGate and Lavamoat#88
jeffsmale90 merged 2 commits into
mainfrom
chore/upgrade-yarn-min-package-age-lavamoat

Conversation

@jeffsmale90

@jeffsmale90 jeffsmale90 commented Oct 20, 2025

Copy link
Copy Markdown
Collaborator

Description

Yarn 4.10.0 introduces the npmMinimalAgeGate setting that allows a package to specify the minimum age that a package must be before it is installed. It has been recommended that we set a value of 3 days to mitigate supply chain attacks such as the recent event that targeted developer environments via compromised npm publisher accounts.

https://medium.com/@roman_fedyskyi/yarn-4-10-adds-a-release-age-gate-for-safer-dependency-management-765c2d18149a

This PR updates the package manager to 4.10.0 and sets the value for npmMinimalAgeGate to 3 days (4320 minutes).

Yarn 4 also includes yarn org plugins by default, so it is no longer necessary to specify these.

This PR also introduced @lavamoat/allow-scripts and @lavamoat/preinstall-always-fail to ensure that no malicious lifecycle scripts are run.

📋 Checklist

Check off completed items:

  • Code follows the project's coding standards
  • Self-review completed
  • Documentation updated (if needed)
  • Tests added/updated
  • Changelog updated (if needed)
  • All CI checks pass

🔗 Related Issues

Link to related issues:
Closes #
Related to #

📚 Additional Notes

Any additional information, concerns, or context:


Note

Upgrades Yarn to 4.10.0, enforces a 3‑day package age gate, and adds LavaMoat allow-scripts/preinstall safeguards.

  • Build/Tooling:
    • Yarn: Bump packageManager to yarn@4.10.0; configure npmMinimalAgeGate: 4320 in .yarnrc.yml.
    • Install script hardening:
      • Add @lavamoat/allow-scripts and @lavamoat/preinstall-always-fail to devDependencies.
      • Add lavamoat.allowScripts config in package.json (disables scripts for @lavamoat/preinstall-always-fail and keccak).
      • Remove obsolete allow-scripts npm script.
  • Dependencies:
    • Update lockfile to reflect new tooling and LavaMoat packages.

Written by Cursor Bugbot for commit 586d593. This will update automatically on new commits. Configure here.

Comment thread .yarnrc.yml
@socket-security

socket-security Bot commented Oct 20, 2025

Copy link
Copy Markdown

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

  • node-gyp@10.3.1

View full report

@jeffsmale90

Copy link
Copy Markdown
Collaborator Author

@SocketSecurity ignore npm/node-gyp@10.3.1

Reviewed release history and socket security page. Well maintained and utilised package. One major version behind latest.

@jeffsmale90 jeffsmale90 changed the title Chore/upgrade yarn min package age lavamoat Mitigate supply chain attacks with npmMinimalAgeGate and Lavamoat Oct 20, 2025
@jeffsmale90 jeffsmale90 merged commit 8f6253c into main Oct 21, 2025
17 checks passed
@jeffsmale90 jeffsmale90 deleted the chore/upgrade-yarn-min-package-age-lavamoat branch October 21, 2025 00:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants