security: enforce 7-day minimum package age for pnpm installs#1198
security: enforce 7-day minimum package age for pnpm installs#1198lindyalchemy wants to merge 1 commit intomainfrom
Conversation
🔗 Preview Mode
|
🔍 Link CheckStatus: ⏭️ Skipped (no content changes) |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e2bcbc28a7
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| @@ -0,0 +1 @@ | |||
| minimumReleaseAge: 10080 | |||
There was a problem hiding this comment.
minimumReleaseAge is configured here, but this repo still runs pnpm 10.9.0 (package.json and .github/actions/setup-pnpm/action.yml both pin 10.9.0), while pnpm’s official settings docs mark minimumReleaseAge as “Added in: v10.16.0”. In current CI/local installs, this policy is therefore not actually enforced, so the commit creates a false sense of supply-chain protection until the pnpm version is bumped to one that supports the setting.
Useful? React with 👍 / 👎.
1 participant
Summary
Sets
minimumReleaseAge: 10080(7 days) inpnpm-workspace.yamlto reduce supply chain attack risk.This prevents pnpm from installing newly published package versions until they have been available for at least 7 days, giving the community time to identify and flag malicious releases.
Reference
🤖 Generated with Claude Code