Skip to content

[Security] Add 2-day minimum release age cooldown (incident-51987)#38

Merged
szegedi merged 1 commit into
DataDog:mainfrom
SeanMeyer:SeanMeyer/incident-51987-cooldown
Apr 27, 2026
Merged

[Security] Add 2-day minimum release age cooldown (incident-51987)#38
szegedi merged 1 commit into
DataDog:mainfrom
SeanMeyer:SeanMeyer/incident-51987-cooldown

Conversation

@SeanMeyer

Copy link
Copy Markdown
Contributor

Summary

  • Adds .npmrc with min-release-age=2 to enforce a 2-day cooldown on npm package releases before they can be installed
  • Protects against supply chain attacks by ensuring newly published or compromised package versions are not immediately consumed
  • Part of the security pinning campaign for incident-51987

Test plan

  • Verify .npmrc contains min-release-age=2
  • Confirm npm install respects the cooldown setting on next dependency install

🤖 Generated with Claude Code

Add .npmrc with min-release-age=2 to enforce a 2-day cooldown period
on npm package releases before they can be installed. This protects
against supply chain attacks by ensuring newly published (or
compromised) package versions are not immediately consumed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@szegedi szegedi added the semver-patch Bug and security fixes label Apr 27, 2026
@szegedi szegedi marked this pull request as ready for review April 27, 2026 16:35
@szegedi szegedi merged commit 0022c13 into DataDog:main Apr 27, 2026
7 of 8 checks passed
@szegedi szegedi mentioned this pull request Jun 8, 2026
szegedi pushed a commit that referenced this pull request Jun 16, 2026
Add .npmrc with min-release-age=2 to enforce a 2-day cooldown period
on npm package releases before they can be installed. This protects
against supply chain attacks by ensuring newly published (or
compromised) package versions are not immediately consumed.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants