-
Notifications
You must be signed in to change notification settings - Fork 0
chore: enforce 7-day supply-chain cooldown on dependencies #87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
pofallon
wants to merge
1
commit into
main
Choose a base branch
from
chore/supply-chain-cooldown
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| # Supply-chain cooldown: refuse versions published less than 7 days ago so a | ||
| # malicious release has time to be detected/yanked before install. npm has no | ||
| # per-package exclusion, so this applies to all deps. | ||
| min-release-age=7 | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🌐 Web query:
For npm CLI, doesmin-release-ageapply uniformly to all installs/resolutions (including security patch versions), and is there any built-in exception mechanism for security updates?💡 Result:
In the npm CLI (as of June 2026), the
min-release-ageconfiguration applies to all package installations and resolutions performed by commands that involve dependency resolution, such asnpm installandnpm update[1][2][3]. It does not natively distinguish between standard package updates and security patches, meaning it will block recently published security fixes if they fall within the configured "cooldown" period, resulting in anETARGETerror [4]. There are two primary ways to manage exceptions for this policy: 1. Explicit Bypass via Command-line Flag: You can override the configuration for specific commands by setting the flag to zero. For example, runningnpm install <package-name> --min-release-age=0will bypass the cooldown period for that specific operation [5][4]. This is commonly used in automated workflows (such as Dependabot) to ensure critical security patches are installed immediately [4]. 2. Built-in Exclusion Mechanism: Recently, npm introduced themin-release-age-excludeconfiguration option [6]. This allows users to define a list of packages (supporting exact names or glob patterns, such as@myorg/*) that are exempt from themin-release-agepolicy [7][6]. This provides a structured way to allow trusted packages or internal libraries to bypass the age restriction consistently without needing to manually override the flag for every command [7]. Note thatmin-release-agedoes not affectnpm ci, as that command installs packages verbatim from the lockfile without performing new resolution [3]. Additionally, due to how npm handles configuration flattening,min-release-agemay appear asnullwhen checked vianpm config getif it has been converted into abeforedate for internal use [8][9].Citations:
min-release-agefornpm cinpm/cli#9281--min-release-age=0for npm security updates to bypass.npmrcdependabot/dependabot-core#15139min-release-agenot shown bynpm config lsnpm/cli#9199min-release-age=7blocks security patches duringnpm install/npm updateeven when Dependabot overrides it per-PR.min-release-ageapplies globally to resolution-based commands and does not distinguish between security patches and standard updates. This meansnpm installandnpm updatewill reject recently published security fixes within the 7-day window, resulting in anETARGETerror—delaying critical patches. (npm ciitself is unaffected as it uses the lockfile without resolution.)While Dependabot can override with
--min-release-age=0per-PR, consider using themin-release-age-excludeconfiguration option to exempt security-critical packages from the policy, or lower the window for packages with known vulnerability exposure.🤖 Prompt for AI Agents