Skip to content

docs: add --min-release-age as supply chain mitigation#73

Open
nmanthey wants to merge 1 commit into
nodejs:mainfrom
nmanthey:supply-chain-min-release-age
Open

docs: add --min-release-age as supply chain mitigation#73
nmanthey wants to merge 1 commit into
nodejs:mainfrom
nmanthey:supply-chain-min-release-age

Conversation

@nmanthey
Copy link
Copy Markdown

@nmanthey nmanthey commented May 20, 2026

Add dependency cooldown (--min-release-age, npm v11.10.0+) to the supply chain attack mitigations in the security best practices guide. Recommend a 1-day cooldown as the minimum effective value.

Every major npm supply chain incident in 2025-2026 had an exposure window well under 24 hours, making even a 1-day delay sufficient:

Other projects also propose cooldown as a mitigation:

pnpm 11 ships with minimumReleaseAge enabled by default (1 day): https://pnpm.io/blog/releases/11.0

StepSecurity Secure Registry offers a configurable cooldown and confirmed their customers were unaffected during the May 2026 @AntV compromise:
https://www.stepsecurity.io/blog/introducing-secure-registry-install-time-defense-for-the-npm-supply-chain

@nmanthey
docs: add --min-release-age as supply chain mitigation
94ca847 
Add dependency cooldown (--min-release-age, npm v11.10.0+) to the
supply chain attack mitigations in the security best practices guide.
Recommend a 1-day cooldown as the minimum effective value.

Every major npm supply chain incident in 2025-2026 had an exposure
window well under 24 hours, making even a 1-day delay sufficient:

- Nx/s1ngularity (Aug 2025): ~4-5h window
  https://nx.dev/blog/s1ngularity-postmortem
- Shai-Hulud (Sep 2025): hours before detection
  https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
- axios (Mar 2026): ~2-3h window, 100M weekly downloads
  https://workos.com/blog/axios-npm-supply-chain-attack
- TanStack (May 2026): ~30 min window, 42 packages
  https://tanstack.com/blog/npm-supply-chain-compromise-postmortem

Other projects also propose cooldown as a mitigation:

pnpm 11 ships with minimumReleaseAge enabled by default (1 day):
https://pnpm.io/blog/releases/11.0

StepSecurity Secure Registry offers a configurable cooldown and
confirmed their customers were unaffected during the May 2026
@AntV compromise:
https://www.stepsecurity.io/blog/introducing-secure-registry-install-time-defense-for-the-npm-supply-chain

Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
@vercel
Copy link
Copy Markdown

vercel Bot commented May 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
nodejs-learn Ready Ready Preview May 20, 2026 5:55am

Request Review

@cursor
Copy link
Copy Markdown

cursor Bot commented May 20, 2026
edited
Loading

PR Summary

Low Risk
Low risk: documentation-only change that adds a new recommended npm configuration flag and link; no runtime or behavioral code changes.

Overview
Updates the security best practices guide’s supply-chain mitigations to recommend a dependency “cooldown” using npm’s --min-release-age/min-release-age (npm v11.10.0+), including a sample config, rationale, and guidance for overriding it when applying urgent security fixes.

Adds a new reference link target for min-release-age in the document.

Reviewed by Cursor Bugbot for commit 94ca847. Bugbot is set up for automated code reviews on this repo. Configure here.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

👋 Codeowner Review Request

The following codeowners have been identified for the changed files:

Team reviewers: @nodejs/security-wg

Please review the changes when you have a chance. Thank you! 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nmanthey