Skip to content

feat: add 14-day minimum release age for external dependencies #1135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 15, 2025
Merged

feat: add 14-day minimum release age for external dependencies #1135

merged 1 commit into from
Sep 15, 2025

Conversation

trieloff
Copy link
Contributor

Summary

  • Added minimumReleaseAge: "14 days" policy to external dependency update rules in Renovate configuration
  • Applies to both minor/patch updates and major updates for non-Adobe packages
  • Provides a buffer period for potential security issues to be discovered before automatic updates

Context

This change adds an additional security layer in response to recent supply chain attacks on npm packages. By waiting 14 days before considering updates, we allow time for the community to identify and report compromised packages.

Related discussion: https://cq-dev.slack.com/archives/C01UB5Y1YQ7/p1757493562576669
Reference article: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

Test plan

  • Verify JSON syntax is valid
  • Confirm Renovate accepts the configuration
  • Monitor that external dependency updates are delayed by 14 days after release

🤖 Generated with Claude Code

@claude
feat: add 14-day minimum release age for external dependencies
fa254b5 
Add minimumReleaseAge policy to wait 14 days before updating external packages,
providing time for potential issues to be discovered and fixed before adoption.

This helps protect against supply chain attacks like the recent npm debug and
chalk package compromises.

Related discussion: https://cq-dev.slack.com/archives/C01UB5Y1YQ7/p1757493562576669
Reference: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Signed-off-by: Lars Trieloff <[email protected]>
@trieloff trieloff merged commit a7b2e0d into main Sep 15, 2025
6 checks passed
@trieloff trieloff deleted the renovate-minimum-release-age branch September 15, 2025 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tripodsan tripodsan tripodsan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@trieloff @tripodsan @claude