From b561ac99b0c2fca20c0ff4d1e11b814593b91501 Mon Sep 17 00:00:00 2001 From: Alan Agius <17563226+alan-agius4@users.noreply.github.com> Date: Wed, 17 Sep 2025 12:31:23 +0000 Subject: [PATCH 1/3] build: enable minimumReleaseAge to mitigate dependency chain attacks This change configures pnpm's `minimumReleaseAge` setting to 1 day (1440 minutes). This is a security measure to mitigate dependency chain attacks, where malicious actors publish a new version of a dependency with malicious code and then trick users into updating to it before it can be discovered and reported. By delaying the adoption of new releases, we reduce the window of opportunity for such attacks. The list of excluded packages contains trusted and frequently updated dependencies from the Angular team, which are considered safe to use without this delay. --- .github/ng-renovate/pnpm-workspace.yaml | 3 ++ bazel/pnpm-workspace.yaml | 3 ++ pnpm-workspace.yaml | 37 +++++++++++++++++++++++++ 3 files changed, 43 insertions(+) diff --git a/.github/ng-renovate/pnpm-workspace.yaml b/.github/ng-renovate/pnpm-workspace.yaml index e69de29bb..74b78874f 100644 --- a/.github/ng-renovate/pnpm-workspace.yaml +++ b/.github/ng-renovate/pnpm-workspace.yaml @@ -0,0 +1,3 @@ +# The minimum age of a release to be considered for dependency installation. +# The value is in minutes (1440 minutes = 1 day). +minimumReleaseAge: 1440 diff --git a/bazel/pnpm-workspace.yaml b/bazel/pnpm-workspace.yaml index d3aea1e8c..d4f1bcd86 100644 --- a/bazel/pnpm-workspace.yaml +++ b/bazel/pnpm-workspace.yaml @@ -1,3 +1,6 @@ +# The minimum age of a release to be considered for dependency installation. +# The value is in minutes (1440 minutes = 1 day). +minimumReleaseAge: 1440 packages: - . - spec-bundling/test/ diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index f38f4a4f4..7c3d1af8f 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -22,3 +22,40 @@ packages: - github-actions/saucelabs - github-actions/browserstack - github-actions/bazel/configure-remote +# The minimum age of a release to be considered for dependency installation. +# The value is in minutes (1440 minutes = 1 day). +minimumReleaseAge: 1440 +# List of packages to exclude from the minimum release age check. +# Wildcards are not yet supported: https://github.com/pnpm/pnpm/issues/9983 +minimumReleaseAgeExclude: + - '@angular-devkit/architect' + - '@angular-devkit/build-angular' + - '@angular-devkit/build-webpack' + - '@angular-devkit/core' + - '@angular-devkit/schematics-cli' + - '@angular-devkit/schematics' + - '@angular-devkit/architect-cli' + - '@angular-devkit/architect' + - '@angular/animations' + - '@angular/benchpress' + - '@angular/cdk' + - '@angular/ng-dev' + - '@angular/cli' + - '@angular/ssr' + - '@angular/common' + - '@angular/compiler-cli' + - '@angular/compiler' + - '@angular/core' + - '@angular/forms' + - '@angular/language-service' + - '@angular/localize' + - '@angular/material' + - '@angular/material-moment-adapter' + - '@angular/platform-browser-dynamic' + - '@angular/platform-browser' + - '@angular/platform-server' + - '@angular/router' + - '@angular/service-worker' + - '@ngtools/webpack' + - '@schematics/angular' + - 'ng-packagr' From 3a4aa45edec89353490570e9e7cbebd64ec7c7e6 Mon Sep 17 00:00:00 2001 From: Alan Agius <17563226+alan-agius4@users.noreply.github.com> Date: Wed, 17 Sep 2025 12:31:37 +0000 Subject: [PATCH 2/3] ci: add minimumReleaseAge to Renovate config This change introduces a 1-day delay for all npm dependency updates to mitigate the risk of dependency chain attacks. This provides a window to detect and react to malicious publications. The cross-repo Angular dependencies are excluded from this rule as they are trusted sources. --- renovate-presets/default.json5 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/renovate-presets/default.json5 b/renovate-presets/default.json5 index 6d01920ee..e64dfdccc 100644 --- a/renovate-presets/default.json5 +++ b/renovate-presets/default.json5 @@ -73,6 +73,12 @@ // ============================================================================ // ECOSYSTEM-SPECIFIC GROUPING // ============================================================================ + // Delay NPM updates to mitigate dependency chain attacks by malicious actors. + // This rule only affects direct dependencies. + { + minimumReleaseAge: '1 day', + matchManagers: ['npm'], + }, // Group Bazel updates { @@ -95,6 +101,7 @@ enabled: true, // Enable NPM updates of cross-repo dependencies on all branches. groupName: 'cross-repo angular dependencies', followTag: 'next', + minimumReleaseAge: null, separateMajorMinor: false, schedule: ['at any time'], matchPackageNames: [ From 672bf4a831b543a9fa7690628026244c9488df12 Mon Sep 17 00:00:00 2001 From: Alan Agius <17563226+alan-agius4@users.noreply.github.com> Date: Wed, 17 Sep 2025 12:37:44 +0000 Subject: [PATCH 3/3] fixup! build: enable minimumReleaseAge to mitigate dependency chain attacks --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 3f0aa9b8a..d04394016 100644 --- a/package.json +++ b/package.json @@ -2,11 +2,11 @@ "name": "@angular/build-tooling", "version": "0.0.0-{SCM_HEAD_SHA}", "private": true, - "packageManager": "pnpm@10.16.0", + "packageManager": "pnpm@10.16.1", "engines": { "npm": "Please use pnpm instead of NPM to install dependencies", "yarn": "Please use pnpm instead of Yarn to install dependencies", - "pnpm": "10.16.0" + "pnpm": "10.16.1" }, "scripts": { "prepare": "husky",