Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the .npmrc configuration to increase the minimum-release-age from 25 to 48 hours. Feedback indicates that while this change enhances security against dependency hijacking, it may negatively impact development velocity by delaying access to critical bug fixes, and suggests evaluating if a 24-hour window would provide a better balance.
| audit=true | ||
| block-exotic-subdeps=true | ||
| minimum-release-age=25h | ||
| minimum-release-age=48h |
There was a problem hiding this comment.
Increasing the minimum-release-age to 48 hours is a strong security measure against dependency hijacking, but it may significantly impact development velocity. This setting blocks the installation of any package version released within the last 48 hours, which includes critical bug fixes or security patches from upstream dependencies. Consider if this two-day delay is acceptable for your workflow, or if a 24-hour window (e.g., 24h) would provide a better balance between security and operational agility.
1 participant
Need help on this PR? Tag
@codesmithwith what you need.