Skip to content

chore: add 7-day dependency cooldown via npm min-release-age#104

Merged
amanmibra merged 2 commits into
mainfrom
devin/1777628846-dep-cooldown-7d
May 13, 2026
Merged

chore: add 7-day dependency cooldown via npm min-release-age#104
amanmibra merged 2 commits into
mainfrom
devin/1777628846-dep-cooldown-7d

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented May 1, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Adds a 7-day dependency cooldown to prevent supply chain attacks via two changes:

  1. Config: min-release-age=7 in .npmrc — npm ignores any package version published within the last 7 days
  2. Docs: New "Dependency Cooldown (Supply Chain Security)" section in README.md explaining the config, npm 11.10.0+ requirement, and override instructions

Review & Testing Checklist for Human

  • Verify npm install still resolves all existing dependencies from lockfile without error
  • Confirm the README section reads clearly

Notes

  • Requires npm 11.10.0+ (Feb 2026). On older npm, silently ignored.

Link to Devin session: https://app.devin.ai/sessions/ff52cfe2dcc947d3b70487098fe6f35b

@amanmibra @devin-ai-integration
chore: add 7-day dependency cooldown via npm min-release-age
777c3ad 
Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@devin-ai-integration

devin-ai-integration Bot commented May 1, 2026

Copy link
Copy Markdown
Contributor Author
Original prompt from Aman Ibrahim

SYSTEM:
=== BEGIN THREAD HISTORY (in #devin-chat) ===
<most_recent_message>
Aman Ibrahim (U05SN1RECPQ): @Devin

Add a 7-day dependency cooldown to all repos

uv's exclude-newer refuses any version published inside a rolling window. With 7 days set, today's malicious uploads would not be considered for resolution at all.

npm/bun and other package managers (like Cargo) should have the same/similiar
</most_recent_message>
=== END THREAD HISTORY ===

Thread URL: https://deeptrust-ai.slack.com/archives/C0996NYCENL/p1777628530316529?thread_ts=1777628530.316529&amp;cid=C0996NYCENL

The latest message is the one right above that tagged you. The <most_recent_message> is the message that you should use to guide your goals + task for this session, and you should use the rest of the slack thread as context.

@devin-ai-integration

devin-ai-integration Bot commented May 1, 2026

Copy link
Copy Markdown
Contributor Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@amanmibra @devin-ai-integration
docs: add dependency cooldown section to README
8e3dcb1 
Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@amanmibra amanmibra merged commit fedfd28 into main May 13, 2026
4 checks passed
@amanmibra amanmibra deleted the devin/1777628846-dep-cooldown-7d branch May 13, 2026 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amanmibra