Skip to content

[security] Add minimum release age (hardening against supply chain vulns)#72

Merged
bencmbrook merged 3 commits intomainfrom
bencmbrook/nits
Apr 8, 2026
Merged

[security] Add minimum release age (hardening against supply chain vulns)#72
bencmbrook merged 3 commits intomainfrom
bencmbrook/nits

Conversation

@bencmbrook
Copy link
Copy Markdown
Member

@bencmbrook bencmbrook commented Apr 8, 2026

Sets minimumReleaseAge to 24 hours, meaning we do not upgrade to package versions that were published in the last 24 hours. This gives the security community time to detect vulnerabilities (this is usually within hours with AI!) and publish CVE. For example, the massive axios critical vulnerability was only on npm for 3 hours.

See related Slack thread (Transcend-internal link)

Other nit(s):

  • Improvement to the tests that drive standardized tsconfig.json files. This is now more granular, detecting non-standard / overridden compilerOption in each package. Note this rule is intentionally skipped since we do override tsconfig.json in some packages, and it will require a project to incrementally remove overrides.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Apr 8, 2026

Open in StackBlitz

@transcend-io/cli

pnpm add https://pkg.pr.new/@transcend-io/cli@72
yarn add https://pkg.pr.new/@transcend-io/cli@72.tgz

@transcend-io/privacy-types

pnpm add https://pkg.pr.new/@transcend-io/privacy-types@72
yarn add https://pkg.pr.new/@transcend-io/privacy-types@72.tgz

@transcend-io/sdk

pnpm add https://pkg.pr.new/@transcend-io/sdk@72
yarn add https://pkg.pr.new/@transcend-io/sdk@72.tgz

@transcend-io/utils

pnpm add https://pkg.pr.new/@transcend-io/utils@72
yarn add https://pkg.pr.new/@transcend-io/utils@72.tgz

commit: 9af59a6

@bencmbrook bencmbrook changed the title nits [security] Add minimum release age (hardening against supply chain vulns) Apr 8, 2026
@bencmbrook bencmbrook enabled auto-merge April 8, 2026 15:09
Comment thread scripts/check-minimum-release-age.test.ts
Comment thread scripts/package-conventions.test.ts
@bencmbrook bencmbrook added this pull request to the merge queue Apr 8, 2026
Merged via the queue into main with commit 92d40f4 Apr 8, 2026
4 checks passed
@bencmbrook bencmbrook deleted the bencmbrook/nits branch April 8, 2026 16:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants