Add supply chain security policy with npm cooldown

[tjackiet]

Summary

Establish a supply chain security policy to mitigate risks from newly published npm packages by implementing a 7-day cooldown period before automatic dependency updates.

Changes

• CONTRIBUTING.md (new): Comprehensive contribution guide documenting the cooldown policy, rationale (referencing past supply chain attacks), and operational details

  • Explains the two-layer defense: .npmrc for local/CI installs and Dependabot configuration for automated PRs
  • Clarifies that npm ci is unaffected and security updates bypass cooldown
  • Provides instructions for npm version requirements (11.10.0+) and emergency patch procedures

• .npmrc (new): Configures min-release-age=7 to prevent npm from resolving packages published less than 7 days ago

  • Includes warnings about npm version compatibility and references CONTRIBUTING.md for details

• .github/dependabot.yml (new): Configures Dependabot with cooldown periods

  • npm dependencies: 7-day default cooldown for minor/patch, 14-day for major updates
  • GitHub Actions: 7-day cooldown for consistency
  • Security updates remain unaffected per Dependabot design

Implementation Details

• The policy provides a grace period for community and automated security tools to detect and report malicious packages before they're automatically adopted
• Cooldown is applied at two layers: dependency resolution (npm) and automated update proposals (Dependabot)
• Clear documentation of exceptions (security patches, emergency procedures) and operational requirements (npm version)

https://claude.ai/code/session_019KsGHZUVwcvbhwi1tVebCH

Summary by CodeRabbit

• Chores

  • Configured automated weekly dependency update checks (npm and GitHub Actions), limited open PRs, grouped minor/patch updates, and added cooldowns for npm updates with extended delay for major bumps; action updates omitted cooldown for manual review.

• Documentation

  • Added contributor guidelines describing a 7‑day cooldown for new npm releases via npm config (supply‑chain precaution), npm version requirement, CI exclusions, security exceptions, and emergency procedures for bypassing the cooldown.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a3734d7d-b946-425c-a6df-99db9c9e17c5

📥 Commits

Reviewing files that changed from the base of the PR and between c730a58 and 86a2b62.

📒 Files selected for processing (2)

• .github/dependabot.yml
• CONTRIBUTING.md

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• bitbankinc/bitbank-api-docs (manual)

✅ Files skipped from review due to trivial changes (1)

• CONTRIBUTING.md

---

📝 Walkthrough

Walkthrough

Adds a supply‑chain cooldown: .npmrc enforces min-release-age=7, Dependabot is configured for weekly npm and GitHub Actions updates with matching cooldown settings, and CONTRIBUTING.md documents constraints, security exceptions, and emergency procedures.

Changes

Supply-chain security cooldown policy

Layer / File(s)	Summary
Cooldown configuration for local, CI, and Dependabot ​.npmrc, .github/dependabot.yml	.npmrc sets min-release-age=7 to exclude packages published within 7 days from npm install/npm update. .github/dependabot.yml schedules weekly checks for npm and github-actions, limits open PRs, groups npm minor/patch updates, and applies cooldown/semver-major timing for npm updates.
Cooldown policy, constraints, and emergency procedures CONTRIBUTING.md	Documents the 7‑day cooldown model, maps local min-release-age to Dependabot cooldown, notes npm >= 11.10.0 requirement, clarifies npm ci and security/CVE exceptions, and defines emergency patching workflows requiring PR justification.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit counts seven days with care,
Hopping round releases fresh in air,
.npmrc waits, Dependabot too,
Safety first before code is new,
Emergency paths kept bright and fair.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: introducing a supply chain security policy with npm cooldown. It directly aligns with the core objective of implementing cooldown periods for newly published npm packages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/npm-cooldown

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

CONTRIBUTING.md (1)

41-45: ⚡ Quick win

Consider adding a checklist or template for emergency bypass PRs.

The emergency procedures require PR descriptions to explain "why the normal cooldown is not being waited out." To ensure consistency and completeness, consider creating a PR template or checklist that includes:

• Rationale for bypassing cooldown
• Security assessment performed
• Alternative mitigations applied (e.g., --ignore-scripts)

📋 Example PR template snippet

## Emergency Cooldown Bypass

- [ ] Justification: [Describe why waiting 7 days is not feasible]
- [ ] Security review: [Steps taken to verify the package is safe]
- [ ] Mitigation: [Any additional safeguards applied, e.g., --ignore-scripts]
- [ ] Rollback plan: [How to revert if issues are discovered]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CONTRIBUTING.md` around lines 41 - 45, Add a small emergency-bypass PR
checklist/template to the CONTRIBUTING.md near the guidance that PR descriptions
must explain “why the normal cooldown is not being waited out”; create a titled
snippet (e.g., "Emergency Cooldown Bypass") that lists required items:
justification, security assessment, mitigation steps (like --ignore-scripts),
and rollback plan so authors must fill them when submitting such PRs; ensure the
CONTRIBUTING.md text references and links to this template/checklist so
reviewers can verify completeness.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/dependabot.yml:
- Around line 32-33: The dependabot config incorrectly sets the cooldown key
under the github-actions ecosystem; remove the cooldown: default-days: 7 entry
from the github-actions section (or relocate it to a supported ecosystem or
global config) so Dependabot no longer rejects/ignores updates for
github-actions; look for the cooldown key and the github-actions ecosystem
identifier in .github/dependabot.yml and delete or move that cooldown setting
accordingly.

In @.npmrc:
- Line 5: The .npmrc entry "min-release-age=7" requires npm >= 11.10.0 and npm's
"npm config get min-release-age" may print "null" even on supported versions
because npm normalizes the setting internally; update the repository
documentation and the .npmrc header to state the minimum supported npm version
(>=11.10.0), the intended behavior of min-release-age, and the reason "npm
config get" can show null, and add a quick CI/preinstall check (e.g., a script
referenced by package.json like "check-npm-version" or a preinstall hook) that
fails with a clear message if npm --version is older than 11.10.0 so the setting
is not silently ignored.

---

Nitpick comments:
In `@CONTRIBUTING.md`:
- Around line 41-45: Add a small emergency-bypass PR checklist/template to the
CONTRIBUTING.md near the guidance that PR descriptions must explain “why the
normal cooldown is not being waited out”; create a titled snippet (e.g.,
"Emergency Cooldown Bypass") that lists required items: justification, security
assessment, mitigation steps (like --ignore-scripts), and rollback plan so
authors must fill them when submitting such PRs; ensure the CONTRIBUTING.md text
references and links to this template/checklist so reviewers can verify
completeness.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8ca5dd67-f620-41fd-a270-7e0aabe2a2aa

📥 Commits

Reviewing files that changed from the base of the PR and between 41944c9 and c730a58.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .npmrc
• CONTRIBUTING.md

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• bitbankinc/bitbank-api-docs (manual)