From d853e19a221a27f570fe66c4d31865ec7b53e667 Mon Sep 17 00:00:00 2001 From: Ruben van der Linde Date: Sat, 16 May 2026 17:26:12 +0200 Subject: [PATCH] chore(security): require 24h cooldown on npm packages Defense against supply-chain attacks (e.g. shai-hulud, nx-style compromised publishes) by blocking install of any package version published less than 24h ago. - .npmrc: `min-release-age=1` (npm 11.5+ native; older npm ignores it) - .github/dependabot.yml: `cooldown.default-days: 1`, with @conduction/* excluded so first-party releases reach our apps immediately For release-day consumption of fresh @conduction/* deps, use `npm install --min-release-age=0 @conduction/pkg@x.y.z`. --- .github/dependabot.yml | 13 +++++++++++++ .npmrc | 5 +++++ 2 files changed, 18 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .npmrc diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..3390c9e --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + cooldown: + default-days: 1 + include: + - "*" + exclude: + - "@conduction/*" diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000..3942d34 --- /dev/null +++ b/.npmrc @@ -0,0 +1,5 @@ +# Supply-chain hardening: reject any npm package published less than +# 24h ago. Compromised first-party-Conduction packages are excluded via +# Dependabot cooldown (.github/dependabot.yml); for fresh @conduction/* +# releases, override per-install with `npm install --min-release-age=0`. +min-release-age=1