Skip to content

Commit 4e48866

Browse files
Add supply-chain cooldown for npm dependencies (#80)
Enforce a rolling release-age cooldown so npm only resolves dependency versions that have been published for at least 15 days, reducing exposure to compromised "fresh" releases. Malicious packages are typically detected and unpublished within that window. - .npmrc: set min-release-age=15 (requires npm >= 11.10.0); - package.json: add devEngines pinning node >=20.10 and npm >=11.10; hard-fail for earlier npm versions - workflows: bump CI to Node 24 (Node 22 ships npm 10, which lacks min-release-age) and switch the publish job's npm install -> npm ci for deterministic, lockfile-pinned installs - README: document the policy and the --min-release-age=0 override for urgent security fixes No breaking changes for consumers of the published zerion-cli package: the runtime requirement stays node >=20 (engines is unchanged), and devEngines / .npmrc are dev-and-CI only. The cooldown affects only version resolution (updating package-lock.json); installs from the existing lockfile, including npm ci, are unaffected.
1 parent e89f01a commit 4e48866

5 files changed

Lines changed: 40 additions & 3 deletions

File tree

.github/workflows/release-please.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,10 +32,10 @@ jobs:
3232

3333
- uses: actions/setup-node@v4
3434
with:
35-
node-version: 20
35+
node-version: 24
3636
registry-url: https://registry.npmjs.org
3737

38-
- run: npm install
38+
- run: npm ci
3939

4040
- run: npm test
4141

.github/workflows/test.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414

1515
- uses: actions/setup-node@v4
1616
with:
17-
node-version: 22
17+
node-version: 24
1818
cache: npm
1919

2020
- run: npm ci

.npmrc

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
# Reject package versions published less than 15 days ago (rolling supply-chain
2+
# cooldown). Requires npm >= 11.10.0
3+
#
4+
# To pull in an urgent fix newer than the window, override for a single run:
5+
# npm install <pkg> --min-release-age=0
6+
# then commit the updated package-lock.json. See README for the policy.
7+
min-release-age=15

README.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -384,6 +384,24 @@ npm run test:all # both
384384
node ./cli/zerion.js --help
385385
```
386386

387+
Development requires **npm >=11.10** (see Supply-chain cooldown below); CI and `npm publish` run on Node 24.
388+
389+
### Supply-chain cooldown
390+
391+
To reduce exposure to npm supply-chain attacks, this repo enforces a **release-age cooldown**: `npm install` will only resolve dependency versions that have been published for at least a fixed number of days. Compromised "fresh" releases are usually detected and unpublished within that window.
392+
393+
The cooldown length is set by `min-release-age` in [`.npmrc`](./.npmrc) — that line is the single source of truth for the window. It requires **npm >=11.10** (older npm silently ignores it); `devEngines` in `package.json` pins npm to that range with `onFail: error`, so an unsupported npm hard-fails instead of quietly skipping the cooldown.
394+
395+
The cooldown only affects version _resolution_ (i.e. updating `package-lock.json`); a plain install from the existing lockfile — including `npm ci` in CI — is unaffected.
396+
397+
**Overriding for an urgent fix.** If you need a security patch newer than the window, bypass it for a single install and commit the result:
398+
399+
```bash
400+
npm install <package>@<version> --min-release-age=0
401+
```
402+
403+
Then commit the updated `package-lock.json` with a note explaining why.
404+
387405
### Contribution guidelines
388406

389407
- Keep examples copy-pasteable.

package.json

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,18 @@
3737
"engines": {
3838
"node": ">=20"
3939
},
40+
"devEngines": {
41+
"runtime": {
42+
"name": "node",
43+
"version": ">=20.10.0",
44+
"onFail": "error"
45+
},
46+
"packageManager": {
47+
"name": "npm",
48+
"version": ">=11.10.0",
49+
"onFail": "error"
50+
}
51+
},
4052
"keywords": [
4153
"zerion",
4254
"ai",

0 commit comments

Comments
 (0)