feat(repo): add 7-day cooldown period for npm package releases#849
feat(repo): add 7-day cooldown period for npm package releases#849YusukeHirao wants to merge 1 commit into
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 84e23b8. Configure here.
| "osvVulnerabilityAlerts": true, | ||
| "vulnerabilityAlerts": { | ||
| "minimumReleaseAge": null | ||
| }, |
There was a problem hiding this comment.
Security settings in ignored config file, shadowed by root
High Severity
The new minimumReleaseAge, internalChecksFilter, osvVulnerabilityAlerts, and vulnerabilityAlerts settings are added to .github/renovate.json, but a renovate.json file exists at the repository root. Renovate uses the first config file it finds in priority order, and renovate.json at root takes precedence over .github/renovate.json. This means the entire .github/renovate.json — including these new supply chain security settings — is likely ignored, silently defeating the purpose of this PR.
Reviewed by Cursor Bugbot for commit 84e23b8. Configure here.
|
v5 が current stable ブランチであることが確認できたため、このPRをクローズし v5 ベースで作り直します。 |
1 participant
Summary
npmサプライチェーン攻撃対策として、公開から 7日未満 のパッケージをインストール・更新対象から除外するクールダウン期間を設定します(frontend-env#886 の展開)。
.yarnrc.ymlにnpmMinimalAgeGate: 7dを追加(Yarn 4.10.0+).github/renovate.jsonにminimumReleaseAge: "7 days"およびinternalChecksFilter: "strict"を追加なぜ7日なのか
悪意あるパッケージの多くは公開から数時間〜数日以内に検出・削除されます。公開直後の短期間をブロックするだけで高い防御効果が得られます。
3日(Renovate の
config:best-practicesデフォルト)では防御期間として短く、14日以上は開発速度への影響が大きくなるため、7日を採用しています。Andrew Nesbitt も7日間のクールダウンの有効性について言及しています(Package Managers Need to Cool Down)。参考資料
npmMinimalAgeGateconfiguration動作
yarn install時、公開7日未満のパッケージが含まれるとエラーで停止Warning
Yarn 側には緊急時のバイパス手段がありません。
セキュリティパッチなど公開直後のパッケージをどうしても即座にインストールする必要がある場合は、
.yarnrc.ymlのnpmMinimalAgeGateを一時的にコメントアウトして対応してください。対応後は必ず元に戻してください。
Note
Medium Risk
Tightens dependency update/install policy by blocking packages released within the last 7 days, which can unexpectedly break CI or emergency upgrades. Security-alert updates are explicitly exempted in Renovate, but Yarn installs will still fail until the gate is relaxed.
Overview
Adds a 7-day minimum release age gate for npm packages: Yarn now enforces
npmMinimalAgeGate: 7d, and Renovate delays creating update PRs viaminimumReleaseAge: "7 days".Also tightens Renovate checks with
internalChecksFilter: "strict"and enables vulnerability alerting (osvVulnerabilityAlerts), while explicitly bypassing the release-age delay forvulnerabilityAlertsupdates.Reviewed by Cursor Bugbot for commit 84e23b8. Configure here.