Skip to content

chore: add minimal age to package installations #270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: add minimal age to package installations #270

wants to merge 1 commit into from

Conversation

NicholasEllul
Copy link
Contributor

@NicholasEllul NicholasEllul commented Sep 22, 2025
edited by cursor bot
Loading

Summary

This pull request enforces a 3-day minimum release age for all NPM packages. Packages published more recently will be blocked from installation, reducing the risk of supply-chain attacks involving newly compromised releases.

Teams that need exceptions can override this restriction by listing packages under the npmPreapprovedPackages option.

This is a new feature included in yarn v4.10.*

Note

Adds a 3-day npm package age gate with preapproved scopes and upgrades packageManager to Yarn 4.10.2.

  • Supply chain security:
    • Configure npmMinimalAgeGate: 4320 and npmPreapprovedPackages (@metamask/*, @lavamoat/*) in .yarnrc.yml.
  • Tooling:

Written by Cursor Bugbot for commit f9f77a2. This will update automatically on new commits. Configure here.

@NicholasEllul NicholasEllul requested a review from a team as a code owner September 22, 2025 20:59
@NicholasEllul NicholasEllul changed the title feat: add minimal age to package installations chore: add minimal age to package installations Sep 22, 2025
@NicholasEllul NicholasEllul force-pushed the ellul/min-package-age branch 2 times, most recently from 98c532a to 0dd7ca3 Compare September 24, 2025 20:13
Gudahtt
Gudahtt previously approved these changes Sep 24, 2025
View reviewed changes
Copy link
Member

@Gudahtt Gudahtt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@NicholasEllul NicholasEllul force-pushed the ellul/min-package-age branch from 0dd7ca3 to e1f68b9 Compare October 2, 2025 15:53
cursor[bot]

This comment was marked as outdated.

Sign in to view

@NicholasEllul NicholasEllul force-pushed the ellul/min-package-age branch from e1f68b9 to f9f77a2 Compare October 2, 2025 15:55
mcmire
mcmire approved these changes Oct 2, 2025
View reviewed changes
Copy link
Contributor

@mcmire mcmire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@mcmire mcmire mcmire approved these changes

@Gudahtt Gudahtt Gudahtt left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NicholasEllul @mcmire @Gudahtt