chore(deps): enforce 24h minimum release age#13998
Conversation
Adds pnpm's minimumReleaseAge (1440 minutes) so neither local installs nor CI will accept a package version younger than 24 hours, mitigating fast-yanked supply-chain attacks. workerd and @cloudflare/workers-types are excluded so first-party updates can land same-day. Also adds a matching cooldown to the C3 framework Dependabot group so it doesn't open PRs that CI would then reject. The miniflare group is restricted via 'allow' to the excluded packages, so it needs no cooldown.
|
james-elicx
changed the title
|
The changes are clean and correct. Let me verify my understanding:
The logic is consistent between both files. The configuration keys are valid for pnpm and Dependabot respectively. The exemptions correctly target the same two packages in both places. No logic bugs, no security issues, no backward compatibility concerns. LGTM |
The @cloudflare/workerd-{darwin,linux,windows}-* packages are pulled in
as optional deps of workerd and are published in lock-step with it, so
they need the same exemption.
workers-devprod
requested review from
a team and
petebacondarwin
and removed request for
a team
|
Codeowners approval required for this PR:
Show detailed file reviewers |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
create-cloudflare
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
commit: |
The retry/throw paths previously only logged the Error.message, which hid the actual stderr from the failing subcommand (e.g. pnpm install). This change includes captured stdout and stderr in both the debug log for retries and the thrown error for terminal failures, so CI logs contain enough detail to diagnose failures.
The workspace pnpm-workspace.yaml sets minimumReleaseAge: 1440 (24h) as a supply-chain guard. E2E fixtures install packages from the mock npm registry seconds after they were published, so pnpm rejects them with ERR_PNPM_NO_MATURE_MATCHING_VERSION. Override the setting in the registry's .npmrc (which is set as NPM_CONFIG_USERCONFIG) so seeded fixture installs are not subject to the constraint.
Broaden the minimumReleaseAgeExclude list to cover every package we publish from this monorepo (@cloudflare/*, wrangler, miniflare, workerd). The previous narrower list (workerd, @cloudflare/workerd-*, @cloudflare/workers-types) didn't cover packages like @cloudflare/vite-plugin or wrangler, which the vite-plugin E2E suite installs from a local mock npm registry seconds after publishing — causing ERR_PNPM_NO_MATURE_MATCHING_VERSION in CI. The .npmrc-based attempt in mock-npm-registry has been removed; pnpm only reads auth and registry settings from .npmrc, so minimum-release-age keys there are silently ignored.
The stderr-surfacing change was only added to diagnose the CI failure. Now that the cause is fixed (broadened minimumReleaseAgeExclude), revert to the original behavior.
This reverts commit e71d163.
When pnpm run executes a script, it exports npm_config_minimum_release_age from the workspace pnpm-workspace.yaml into the subprocess environment. However it does NOT export the matching minimumReleaseAgeExclude array, so any pnpm/npm install spawned from those scripts inherits a 24h cooldown without the exemptions. Tests that use this mock registry install our own first-party packages within seconds of publishing them to the local registry, so the cooldown rejects them with ERR_PNPM_NO_MATURE_MATCHING_VERSION even though those packages are listed in minimumReleaseAgeExclude. Override the env var to '0' for the lifetime of the mock registry. The override is reverted in the returned stop() function.
Instead of disabling the cooldown entirely, set the exclude list to match the workspace's minimumReleaseAgeExclude: the packages we publish to the mock registry, plus workerd and its platform binaries (pulled in transitively via miniflare). The 24h cooldown still applies to all other third-party deps that fixtures pull from the public registry via uplinks. pnpm reads the comma-separated env var the same way it reads the workspace array, so this restores parity with pnpm-workspace.yaml.
…ypes The broader @cloudflare/*, wrangler, miniflare entries were added to work around fixture install failures. That's now handled inside mock-npm-registry via an env-var override, so the workspace list can be tightened back to just the packages that genuinely need same-day adoption (workerd, its platform binaries, and @cloudflare/workers-types which is published in lock-step).
Match the workspace's minimumReleaseAgeExclude entries: workers-types is pulled in transitively (e.g. via wrangler/miniflare) and can be bumped same-day in lock-step with workerd.
| const revert_npm_config_minimum_release_age_exclude = overrideProcessEnv( | ||
| "npm_config_minimum_release_age_exclude", | ||
| [ | ||
| ...pkgs.keys(), | ||
| // workerd and @cloudflare/workers-types are pulled in transitively | ||
| // (e.g. via miniflare) and may have been bumped same-day. Keep this | ||
| // list in sync with `minimumReleaseAgeExclude` in pnpm-workspace.yaml. | ||
| "workerd", | ||
| "@cloudflare/workerd-*", | ||
| "@cloudflare/workers-types", | ||
| ].join(",") | ||
| ); |
There was a problem hiding this comment.
For keeping this in sync with the workspace settings, I assume that we can just rely on the CI jobs failing when they get out of sync?
There was a problem hiding this comment.
Yeah. I wouldn't really expect this to need changing. It's a result of letting dependabot update workerd straight away each day.
workers-devprod
left a comment
workers-devprod
left a comment
There was a problem hiding this comment.
Codeowners reviews satisfied
3 participants
Adds pnpm's
minimumReleaseAge(1440 minutes) so neither local installs nor CI accept package versions less than 24 hours old, narrowing the window for fast-yanked supply-chain attacks. Adds a matchingcooldownto the C3 framework Dependabot group so it doesn't open PRs CI would then reject.workerdand@cloudflare/workers-typesare exempted in both places so first-party updates land same-day. The miniflare Dependabot group is restricted viaallowto those two packages, so it needs no cooldown.