From c445bf29d0c48e22d9c40dbf370554b73ff6daea Mon Sep 17 00:00:00 2001
From: Alan Agius <17563226+alan-agius4@users.noreply.github.com>
Date: Wed, 17 Sep 2025 12:57:14 +0000
Subject: [PATCH] build: enable minimumReleaseAge to mitigate dependency chain
 attacks

This change configures pnpm's `minimumReleaseAge` setting to 1 day (1440 minutes). This is a security measure to mitigate dependency chain attacks, where malicious actors publish a new version of a dependency with malicious code and then trick users into updating to it before it can be discovered and reported.

By delaying the adoption of new releases, we reduce the window of opportunity for such attacks. The list of excluded packages contains trusted and frequently updated dependencies from the Angular team, which are considered safe to use without this delay.
---
 .github/workflows/build.yml | 6 +++---
 package.json                | 6 ++++++
 pnpm-workspace.yaml         | 4 ++++
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2bd45a5..273afdd 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,12 +10,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: pnpm/action-setup@f2b2b233b538f500472c7274c7012f57857d8ce0
+        with:
+          with_install: false
       - uses: actions/setup-node@d7a11313b581b306c961b506cfc8971208bb03f6
         with:
           node-version: 24
-      - uses: pnpm/action-setup@f2b2b233b538f500472c7274c7012f57857d8ce0
-        with:
-          version: 9
       - run: pnpm i --frozen-lockfile
       - run: pnpm check-format
       - run: pnpm release-build
diff --git a/package.json b/package.json
index f91eab4..243120c 100644
--- a/package.json
+++ b/package.json
@@ -27,6 +27,12 @@
   "license": "MIT",
   "description": "Web Codegen Scorer is a tool for evaluating the quality of web code generated by Large Language Models (LLMs).",
   "type": "module",
+  "packageManager": "pnpm@10.16.1",
+  "engines": {
+    "npm": "Please use pnpm instead of NPM to install dependencies",
+    "yarn": "Please use pnpm instead of Yarn to install dependencies",
+    "pnpm": "10.16.1"
+  },
   "bugs": {
     "url": "https://github.com/angular/web-codegen-scorer/issues"
   },
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index ecf2e9d..4c28bc8 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -1,3 +1,7 @@
 packages:
   - .
   - report-app
+
+# The minimum age of a release to be considered for dependency installation.
+# The value is in minutes (1440 minutes = 1 day).
+minimumReleaseAge: 1440