Skip to content

chore: add minimum release age (4320m) for supply-chain security#482

Merged
nie7321 merged 9 commits into
developfrom
chore/add-minimum-release-age
Mar 31, 2026
Merged

chore: add minimum release age (4320m) for supply-chain security#482
nie7321 merged 9 commits into
developfrom
chore/add-minimum-release-age

Conversation

@nie7321

@nie7321 nie7321 commented Mar 31, 2026

Copy link
Copy Markdown
Member

Pre Summary Summary

I needed to bump the pnpm version, and VitePress wouldn't build.

Rather than fix that, I moved it to our pretty new Starlight theme. That is why this is huge.

Summary

Adds a minimum release age setting so that freshly published package versions must age before they can be installed.

This is a supply-chain security measure that reduces exposure to compromised packages that rely on rapid automated
consumption before detection or takedown.

Details

For this to work, the project must be using a recent version of its package manager. Please manually verify what
version is being used
by developers and GitHub Actions.

This is challenging to automatically detect, since in many cases, there is no version specified or differing
versions between pipelines and developers.

Package Manager Minimum Package Manager Version Setting Value
pnpm v10 minimumReleaseAge in pnpm-workspace.yaml 4320 minutes
yarn (Berry) v4.10 npmMinimalAgeGate in .yarnrc.yml 4320 minutes
npm v11 min-release-age in .npmrc 4320 minutes

Impact

The repository should not experience any significant differences: new versions of packages will not be selected when
running an update command until 24 hours have passed. For the most part, updates come from Dependabot, which already
adds a delay.

The major difference is, in cases where you have just released a new version of a package and want to pull it in
as a dependency, an extra step is needed to bypass the age gate:

References

Adds a minimum release age setting so freshly published package versions
must age before they can be installed. This reduces exposure to
compromised packages published as part of supply-chain attacks.
@nie7321 nie7321 requested a review from a team as a code owner March 31, 2026 18:26
@github-actions

github-actions Bot commented Mar 31, 2026

Copy link
Copy Markdown

Test Results

894 tests  ±0   894 ✅ ±0   41s ⏱️ -1s
125 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 9b7b366. ± Comparison against base commit 75f2648.

♻️ This comment has been updated with latest results.

@coveralls

Copy link
Copy Markdown

Coverage Status

coverage: 94.075%. remained the same
when pulling 2ca2446 on chore/add-minimum-release-age
into 75f2648 on develop.

@coveralls

coveralls commented Mar 31, 2026

Copy link
Copy Markdown

Coverage Status

coverage: 94.075%. remained the same
when pulling 9b7b366 on chore/add-minimum-release-age
into 75f2648 on develop.

@nie7321 nie7321 merged commit 59564e8 into develop Mar 31, 2026
5 checks passed
@nie7321 nie7321 deleted the chore/add-minimum-release-age branch March 31, 2026 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants