Skip to content

chore: supply chain security hardening#893

Open
tewarig wants to merge 1 commit into
AgentWrapper:mainfrom
tewarig:chore/supply-chain-security-hardening
Open

chore: supply chain security hardening#893
tewarig wants to merge 1 commit into
AgentWrapper:mainfrom
tewarig:chore/supply-chain-security-hardening

Conversation

@tewarig

@tewarig tewarig commented Apr 3, 2026

Copy link
Copy Markdown

supply-chain-security-hardening

Since the Composio team is using this package in production, all dependencies should ideally be pinned. Alternatively, since we are using pnpm, we should configure minimumReleaseAge. This ensures that if a newer version of a package is released, we won’t use it until at least 2 days have passed. This helps reduce the risk of adopting versions with undisclosed vulnerabilities.

@tewarig tewarig changed the title chore: supply-chain-security-hardening chore: supply chain security hardening Apr 3, 2026

@i-trytoohard i-trytoohard left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

Scope: 1 file, +2 lines
Verdict: ✅ Approved

What It Does

Adds minimumReleaseAge: 2880 (48 hours) to pnpm-workspace.yaml — prevents pnpm from adopting newly published package versions until they've been out for at least 2 days.

Observations

  • Value is correct (2880 min = 48 hrs), consistent with PR description
  • No breaking changes — only affects pnpm update behavior, existing lockfile untouched
  • Good supply chain hygiene for a production package
  • Note: Global setting applies to all workspace packages. For urgent security patches, explicitly version-pin to bypass the age gate

No issues found. Clean and minimal.

polymath-orchestrator added a commit to polymath-ventures/agent-orchestrator-old that referenced this pull request Jun 28, 2026
…ream AgentWrapper#893)

Folds AgentWrapper#893 into the fork. Delays adopting
newly-published package versions by 48h (2880 min) to avoid pulling a
freshly-compromised release.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SWB8HhxqmkEtYEJCHZY9dw
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants