You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
severity-guidance: Workflow injection → critical. Floating action tags or wide default permissions → high. Lockfile drift without justification → high (runtime/peer dep) or medium (devDep only). Provenance opt-out → medium. Dependency-age bypass → high unless explicitly approved and temporary.
12
12
---
13
13
14
14
# CI / Release Security
@@ -87,6 +87,7 @@ Per AGENTS.md §10 — release commits and annotated tags MUST have a valid sign
87
87
- Registry changes (`registry=` or `@scope:registry=`) — flag any non-`registry.npmjs.org` URL for explicit human review.
88
88
-`always-auth=true` or `_authToken=` committed to the repo — **critical** (credential leak).
89
89
- New `auto-install-peers` / `strict-peer-dependencies` flips — flag as **medium**, surface impact on consumer install behavior.
90
+
- New `minimumReleaseAgeExclude` entries or equivalent pnpm minimum-release-age bypasses — flag as **high** unless the PR includes explicit maintainer approval, a narrowly-scoped emergency reason, and removal before merge. Removing `minimumReleaseAgeStrict` is also **high**. Dependency bump PRs should wait for the configured `minimumReleaseAge` window or pin to the latest eligible version.
Copy file name to clipboardExpand all lines: AGENTS.md
+3-1Lines changed: 3 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -164,14 +164,15 @@ A scannable list of patterns reviewers reject. Most are review-only today (per t
164
164
-**Migration guides on every major**, with codemods where mechanical.
165
165
-**Cantina audit on every major release**, with the public report linked from the CHANGELOG entry. Critical CVEs trigger out-of-band patches.
166
166
-**Pre-release dogfood on every minor:** at least one internal app and one external partner before the `latest` tag flips.
167
+
-**Respect pnpm minimum release age when bumping releases.** Keep `minimumReleaseAgeStrict` enabled and do not add `minimumReleaseAgeExclude` (or equivalent bypasses) to force freshly-published dependencies through dependency bump PRs. If a dependency is too new, wait for the configured `minimumReleaseAge` window or pin to the latest eligible version; emergency bypasses require explicit maintainer approval and must be removed before merge.
- Biome owns style: 2-space indent, organized imports, no unused imports or variables.
176
177
- NodeNext module resolution; relative imports include `.js` (`export * from "./market/index.js"`).
177
178
- Type-only imports where possible (`import type { Address } from "viem"`).
@@ -243,5 +244,6 @@ These are the rules `ci-release-security` enforces. They live here as source of
243
244
-**Dependency hygiene.** New deps in `dependencies` or `peerDependencies` of a published package default to **high** for review. Flag unpinned semver ranges (`^`/`~`) on runtime deps, names that resemble typosquats of known packages, and deps whose registry metadata declares `postinstall` / `preinstall` / `install` scripts.
244
245
-**`.npmrc` hardening.**`always-auth=true` or `_authToken=` committed to the repo is **critical** — credential leak. Non-`registry.npmjs.org``registry=` or `@scope:registry=` lines require explicit human review (could redirect to a malicious registry).
245
246
-**Workspace install behavior.** Flips of `auto-install-peers` or `strict-peer-dependencies` in `.npmrc` or `pnpm-workspace.yaml` are **medium** — surface the impact on consumer install behavior in the review comment.
247
+
-**pnpm minimum-release-age bypasses.**`minimumReleaseAgeExclude` (or equivalent age-check bypasses) in `.npmrc` or `pnpm-workspace.yaml` are **high** unless the PR includes explicit maintainer approval, a narrowly-scoped emergency reason, and removal before merge. Removing `minimumReleaseAgeStrict` is also **high**. Dependency bump PRs should wait for the configured `minimumReleaseAge` window or pin to the latest eligible version.
246
248
247
249
> Applied by persona: [`ci-release-security`](./.agents/personas/ci-release-security.md).
0 commit comments