chore: supply chain security hardening#893
Open
tewarig wants to merge 1 commit into
Open
Conversation
i-trytoohard
approved these changes
Apr 3, 2026
i-trytoohard
left a comment
Contributor
There was a problem hiding this comment.
Code Review
Scope: 1 file, +2 lines
Verdict: ✅ Approved
What It Does
Adds minimumReleaseAge: 2880 (48 hours) to pnpm-workspace.yaml — prevents pnpm from adopting newly published package versions until they've been out for at least 2 days.
Observations
- Value is correct (2880 min = 48 hrs), consistent with PR description
- No breaking changes — only affects
pnpm updatebehavior, existing lockfile untouched - Good supply chain hygiene for a production package
- Note: Global setting applies to all workspace packages. For urgent security patches, explicitly version-pin to bypass the age gate
No issues found. Clean and minimal.
illegalcall
approved these changes
Apr 3, 2026
13 tasks
polymath-orchestrator
added a commit
to polymath-ventures/agent-orchestrator-old
that referenced
this pull request
Jun 28, 2026
…ream AgentWrapper#893) Folds AgentWrapper#893 into the fork. Delays adopting newly-published package versions by 48h (2880 min) to avoid pulling a freshly-compromised release. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SWB8HhxqmkEtYEJCHZY9dw
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
supply-chain-security-hardening
Since the Composio team is using this package in production, all dependencies should ideally be pinned. Alternatively, since we are using pnpm, we should configure minimumReleaseAge. This ensures that if a newer version of a package is released, we won’t use it until at least 2 days have passed. This helps reduce the risk of adopting versions with undisclosed vulnerabilities.