From 777c3ad738cb255b21b8f4bd8cd2634eb577a833 Mon Sep 17 00:00:00 2001 From: Aman Ibrahim Date: Fri, 1 May 2026 09:47:47 +0000 Subject: [PATCH 1/2] chore: add 7-day dependency cooldown via npm min-release-age Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> --- .npmrc | 1 + 1 file changed, 1 insertion(+) create mode 100644 .npmrc diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000..7253a5c --- /dev/null +++ b/.npmrc @@ -0,0 +1 @@ +min-release-age=7 From 8e3dcb180a776bc485881d73395c19b8650b832b Mon Sep 17 00:00:00 2001 From: Aman Ibrahim Date: Fri, 1 May 2026 16:02:31 +0000 Subject: [PATCH 2/2] docs: add dependency cooldown section to README Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> --- README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.md b/README.md index ea4fc55..c117e67 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,27 @@ This README explains how to build the component library, scaffold new components --- +## Dependency Cooldown (Supply Chain Security) + +This repo enforces a **7-day dependency cooldown** via npm's `min-release-age` setting in `.npmrc`. Any package version published to the npm registry within the last 7 days is automatically excluded from dependency resolution. This mitigates supply chain attacks where malicious packages are uploaded and removed within hours. + +```ini +# .npmrc +min-release-age=7 +``` + +**How it works:** When running `npm install`, npm checks each candidate package version's publish date. Versions newer than 7 days are treated as if they don't exist. Packages already pinned in `package-lock.json` are unaffected. + +**Requirements:** npm 11.10.0+ (on older npm, the setting is silently ignored). + +**Overriding for urgent CVE patches:** + +```bash +npm install @ --min-release-age=0 +``` + +--- + ## Developer release workflow Use this checklist whenever you cut a `0.0.x-dev` build or validate changes before promotion to a stable release.