fix: switch packageManager devEngines to warn + add minimumReleaseAge (#286)

B4nan · web-flow · commit c0c10147263b · 2026-05-18T12:49:10.000+02:00
Two related supply-chain hygiene changes: **1. `devEngines.packageManager.onFail: error → warn`** pnpm v10 still shells out to system npm for several subcommands (`pnpm version`, `pnpm config`, etc.). This repo also has direct npm invocations in CI: - \`.github/workflows/tests.yaml:137\` — `npm install` - \`.github/workflows/sync_branches.yaml:39\` — `npm i @octokit/rest@release-19.x` - \`.github/workflows/claude-md-maintenance.yml:31\` — `npm install -g @anthropic-ai/claude-code` With `onFail: error` those trip `EBADDEVENGINES`. `warn` keeps the dev-visible signal without blocking. Also pins the version to `10.33.0` for clarity. **2. Add `minimumReleaseAge: 1440` to `pnpm-workspace.yaml`** 24-hour quarantine on new package versions. Mitigates compromised npm packages that get discovered and yanked within the first day (shai-hulud worm, nx self-replicator, etc.). Brings this repo in line with the rest of the pnpm-migrated public repos. Mirrors the rollout in apify/apify-client-js#895 + #896.
diff --git a/package.json b/package.json
@@ -11,15 +11,16 @@
         "typescript": "^6.0.2",
         "vitest": "^4.1.2"
     },
-    "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319",
+    "packageManager": "pnpm@10.33.4",
     "devEngines": {
         "runtime": {
             "name": "node",
             "onFail": "error"
         },
         "packageManager": {
             "name": "pnpm",
-            "onFail": "error"
+            "version": "10.33.4",
+            "onFail": "warn"
         }
     }
 }
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -1,2 +1,7 @@
 packages:
   - execute-workflow
+
+# Supply-chain protection: require packages to be at least 24h old before pnpm will install them.
+# Mitigates compromised npm packages discovered and yanked within the first day (shai-hulud worm,
+# nx self-replicator, etc.). 1440 minutes = 24 hours.
+minimumReleaseAge: 1440

Original file line number	Diff line number	Diff line change
`@@ -11,15 +11,16 @@`
`11`	`11`	`"typescript": "^6.0.2",`
`12`	`12`	`"vitest": "^4.1.2"`
`13`	`13`	`},`
`14`		`- "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319",`
	`14`	`+ "packageManager": "pnpm@10.33.4",`
`15`	`15`	`"devEngines": {`
`16`	`16`	`"runtime": {`
`17`	`17`	`"name": "node",`
`18`	`18`	`"onFail": "error"`
`19`	`19`	`},`
`20`	`20`	`"packageManager": {`
`21`	`21`	`"name": "pnpm",`
`22`		`- "onFail": "error"`
	`22`	`+ "version": "10.33.4",`
	`23`	`+ "onFail": "warn"`
`23`	`24`	`}`
`24`	`25`	`}`
`25`	`26`	`}`