Conversation
wagoodman
changed the title
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
kzantow
approved these changes
Mar 25, 2026
| | `name` | The name of the tool to install. This is used to determine the installation directory and the name of the binary. | | ||
| | `version.want` | The version of the tool to install. This can be a specific version, or a version range. | | ||
| | `version.constraint` | A constraint on the version of the tool to install. This is used to determine the latest version of the tool to update to. | | ||
| | `version.cooldown` (optional) | A per-tool cooldown duration that overrides the global `cooldown` value (e.g. `3d`, `0` to disable). Only applies when resolving the latest version during `install` or `update`. Not supported by the `git` version resolver. | |
Contributor
There was a problem hiding this comment.
Is there a reason the git resolver doesn't support this? I'd think it could, acknowledging commit times can be forged, but they shouldn't be able to be forged in all cases, such as using squash commits in GitHub.
Contributor
Author
There was a problem hiding this comment.
I thought about it and also was looking at commit times, but it didn't seem practical on a first pass from a security perspective. (We can always add this later)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a configurable release cooldown feature to protect against supply chain attacks. This implements a time-based buffer between when a tool version is published upstream and when binny will install it, giving time for malicious releases to be detected and pulled.
Closes #230
Changes
cooldownconfiguration option (e.g.,cooldown: 7d) that applies to all toolsversion.cooldownoverride to customize or disable cooldown for specific tools--ignore-cooldownCLI flag forinstallandupdatecommands to bypass the check when neededgithub-releaseandgo-proxyversion resolversCooldownErrortype with helpful error messages showing version age, cooldown duration, and time remaining7d,3d,168h)How It Works
When resolving the latest version, the resolvers now check the publish date of each candidate release:
proxy.golang.org/@v/{version}.infoendpointIf no version satisfies the cooldown period, a
CooldownErroris returned with actionable information about when the user can try again.Configuration Examples