ci: add 2-day npm supply-chain cooldown (min-release-age)#291
Merged
Conversation
Add `min-release-age=2` to .npmrc so npm will not resolve any dependency version published less than 2 days ago. This gives the ecosystem time to detect and unpublish a malicious release before it can be pinned into our lockfile, the propagation vector behind recent self-replicating npm worms. npm consumes this at config-load time and derives `before = now - 2 days`, so it filters resolution only: `npm install` / `npm update` and Dependabot bumps won't pick a brand-new version. `npm ci` is unaffected (verified via dry-run: byte-identical install plan), since it installs already-resolved versions straight from package-lock.json.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Follow-up supply-chain hardening after #290. Adds a publication "cooldown" so npm will not resolve any dependency version that was published less than 2 days ago. This gives the ecosystem time to detect and unpublish a malicious release before it can be pinned into our lockfile, the propagation path behind the recent self-replicating npm worms.
What
One line in
.npmrc:The value is in days.
How it behaves
min-release-ageat config-load time and derivesbefore = now - 2 days, recomputed on every invocation (a rolling window, not a frozen date).npm install/npm updateand Dependabot-style bumps won't pick a brand-new version.npm ciis unaffected, verified with a dry-run producing a byte-identical install plan with and without the setting, because it installs already-resolved versions straight frompackage-lock.json. All three CI jobs usenpm ci, so CI behavior does not change.exclusiverule betweenmin-release-ageandbefore: we only setmin-release-ageand npm derivesbeforeitself.Operational note
The 2-day window can occasionally make
npm install <brand-new-package>or a same-daynpm updatefail to resolve until the version ages past the cutoff. The fix is a one-off--min-release-age=0(or--before="") on that single command, not a config change.