Skip to content

chore: Enforce Node supply chain protections#20

Merged
Janina Wibker (JaninaWibkerQC) merged 1 commit into
mainfrom
node-dependency-cooldown-fixes
May 20, 2026
Merged

chore: Enforce Node supply chain protections#20
Janina Wibker (JaninaWibkerQC) merged 1 commit into
mainfrom
node-dependency-cooldown-fixes

Conversation

@quant-ranger

@quant-ranger quant-ranger Bot commented May 20, 2026

Copy link
Copy Markdown
Contributor

This PR sets a minimum dependency release age and blocks exotic subdependencies in the configurations of bun, pnpm and npm.

Via those options we delay installing freshly published versions of packages that may have been compromised as part of a supply chain attack.
Exotic subdependencies could hide malicious code, so we block them entirely in pnpm.

If you run into any problems, feel free to ping Jakob Klaushofer (@JakobKlaushoferQC) or Yannik Tausch (@ytausch).

@quant-ranger quant-ranger Bot requested a review from a team as a code owner May 20, 2026 08:53
@JaninaWibkerQC Janina Wibker (JaninaWibkerQC) merged commit 446377c into main May 20, 2026
1 check passed
@JaninaWibkerQC Janina Wibker (JaninaWibkerQC) deleted the node-dependency-cooldown-fixes branch May 20, 2026 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant