Add 3-day install cooldown (supply-chain protection)#1292
Closed
vikyw89 wants to merge 2 commits into
Closed
Conversation
Set npm min-release-age=3 in .npmrc so newly published package versions are not installed until they are at least 3 days old, reducing exposure to malicious releases caught shortly after publish. Requires npm >=11.10.0; silently ignored by older npm. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Member
|
This might be a good idea, I'll take a look |
Member
|
I think we'll go against this. We update our direct dependencies rarely and deliberately (we only have 6 of them and they haven't changed in a year) and use well-supported well-tested versions. None of our core |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #1293
What
Adds
.npmrcwithmin-release-age=3— npm will not install a package version until it is at least 3 days old.Why
Supply-chain protection. Most malicious npm releases are caught and yanked within hours to a day of publish. A short install cooldown means the repo never pulls a version fresh enough to be in that window.
Notes
min-release-age), requires npm >= 11.10.0. Older npm silently ignores unknown.npmrckeys, so this can't break CI on older runners.npm install --min-release-age=0.🤖 Generated with Claude Code