Skip to content

enable minimumReleaseAge #3072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

enable minimumReleaseAge #3072

wants to merge 3 commits into from

Conversation

@alan-agius4
Copy link
Contributor

@alan-agius4 alan-agius4 commented Sep 17, 2025

See each commit.

@angular-robot angular-robot bot added the area: build & ci Related the build and CI infrastructure of the project label Sep 17, 2025
@alan-agius4 alan-agius4 force-pushed the min-release-age branch 3 times, most recently from 7832207 to 5965c50 Compare September 17, 2025 11:57
devversion
devversion reviewed Sep 17, 2025
View reviewed changes
@alan-agius4
build: enable minimumReleaseAge to mitigate dependency chain attacks
b561ac9 
This change configures pnpm's `minimumReleaseAge` setting to 1 day (1440 minutes). This is a security measure to mitigate dependency chain attacks, where malicious actors publish a new version of a dependency with malicious code and then trick users into updating to it before it can be discovered and reported.

By delaying the adoption of new releases, we reduce the window of opportunity for such attacks. The list of excluded packages contains trusted and frequently updated dependencies from the Angular team, which are considered safe to use without this delay.
@alan-agius4
ci: add minimumReleaseAge to Renovate config
3a4aa45 
This change introduces a 1-day delay for all npm dependency updates to mitigate the risk of dependency chain attacks. This provides a window to detect and react to malicious publications.

The cross-repo Angular dependencies are excluded from this rule as they are trusted sources.
@alan-agius4 alan-agius4 added the action: merge The PR is ready for merge by the caretaker label Sep 17, 2025
@alan-agius4
Copy link
Contributor Author

alan-agius4 commented Sep 17, 2025

This PR was merged into the repository. The changes were merged into the following branches:

alan-agius4 added a commit that referenced this pull request Sep 17, 2025
@alan-agius4
ci: add minimumReleaseAge to Renovate config (#3072)
470e655 
This change introduces a 1-day delay for all npm dependency updates to mitigate the risk of dependency chain attacks. This provides a window to detect and react to malicious publications.

The cross-repo Angular dependencies are excluded from this rule as they are trusted sources.

PR Close #3072
@alan-agius4 alan-agius4 deleted the min-release-age branch September 17, 2025 12:46
@angular-automatic-lock-bot
Copy link

angular-automatic-lock-bot bot commented Oct 18, 2025

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Oct 18, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@devversion devversion devversion approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: build & ci Related the build and CI infrastructure of the project

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alan-agius4 @devversion