chore: add minimum release age (4320m) for supply-chain security#482
Merged
Conversation
Adds a minimum release age setting so freshly published package versions must age before they can be installed. This reduces exposure to compromised packages published as part of supply-chain attacks.
bab4379
approved these changes
Mar 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pre Summary Summary
I needed to bump the pnpm version, and VitePress wouldn't build.
Rather than fix that, I moved it to our pretty new Starlight theme. That is why this is huge.
Summary
Adds a minimum release age setting so that freshly published package versions must age before they can be installed.
This is a supply-chain security measure that reduces exposure to compromised packages that rely on rapid automated
consumption before detection or takedown.
Details
For this to work, the project must be using a recent version of its package manager. Please manually verify what
version is being used by developers and GitHub Actions.
This is challenging to automatically detect, since in many cases, there is no version specified or differing
versions between pipelines and developers.
minimumReleaseAgeinpnpm-workspace.yamlnpmMinimalAgeGatein.yarnrc.ymlmin-release-agein.npmrcImpact
The repository should not experience any significant differences: new versions of packages will not be selected when
running an
updatecommand until 24 hours have passed. For the most part, updates come from Dependabot, which alreadyadds a delay.
The major difference is, in cases where you have just released a new version of a package and want to pull it in
as a dependency, an extra step is needed to bypass the age gate:
minimumReleaseAgeExcludenpmPreapprovedPackagesReferences