When installing adaptors through the CLI or Worker, npm will install dependencies according to semver resolution
This gives rise to an attack vector form the supply chain, which we're seeing more and more of
Our own repos are protected with pnpm's mimimumReleaseAge. But that doesn't affect the adaptor package versions themselves, or the way we install dependencies in the worker.
But npm does have a min-release-age https://docs.npmjs.com/cli/v11/commands/npm-install#min-release-age
We should be using this on install to ensure that workflow runs are more secure
When installing adaptors through the CLI or Worker, npm will install dependencies according to semver resolution
This gives rise to an attack vector form the supply chain, which we're seeing more and more of
Our own repos are protected with pnpm's
mimimumReleaseAge. But that doesn't affect the adaptor package versions themselves, or the way we install dependencies in the worker.But npm does have a
min-release-agehttps://docs.npmjs.com/cli/v11/commands/npm-install#min-release-ageWe should be using this on install to ensure that workflow runs are more secure