Skip to content

Add minimumReleaseAge to pnpm-workspace.yaml#865

Merged
danditomaso merged 2 commits into
mainfrom
danditomaso-patch-1
Sep 26, 2025
Merged

Add minimumReleaseAge to pnpm-workspace.yaml#865
danditomaso merged 2 commits into
mainfrom
danditomaso-patch-1

Conversation

@danditomaso

Copy link
Copy Markdown
Collaborator

Description

This is an important addition to protect our software from any sort of supply chain attack. This feature was recently released in pnpm 10.17.x

Checklist

  • [X ] Code follows project style guidelines
  • Documentation has been updated or added
  • Tests have been added or updated
  • All i18n translation labels have been added (read
    CONTRIBUTING_I18N_DEVELOPER_GUIDE.md for more details)

This is an important addition to protect our software from any sort of supply chain attack. This feature was recently released in pnpm 10.17.x
@vercel

vercel Bot commented Sep 26, 2025

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
web-test Ready Ready Preview Comment Sep 26, 2025 6:29pm

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds a minimumReleaseAge configuration to the pnpm workspace to protect against supply chain attacks by requiring package dependencies to be at least 2 days old before they can be installed.

  • Introduces a security measure that prevents installation of newly published packages for 48 hours
  • Leverages a feature from pnpm 10.17.x to enhance supply chain security

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@philon-

philon- commented Sep 26, 2025

Copy link
Copy Markdown
Contributor

Should we add minimumReleaseAgeExclude for protobufs?

@danditomaso

Copy link
Copy Markdown
Collaborator Author

Should we add minimumReleaseAgeExclude for protobufs?

Good point, there is a regex filter we can use to exclude them and our own libraries from this check.

Allow our own packages to be installed without any freshness check.
@danditomaso danditomaso merged commit 86622f8 into main Sep 26, 2025
4 checks passed
@danditomaso danditomaso deleted the danditomaso-patch-1 branch September 26, 2025 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants