Skip to content

chore(security): add min-release-age=3 to .npmrc#152

Open
ms-bot wants to merge 1 commit into
masterfrom
mobsuccessbot/npmrc-min-release-age
Open

chore(security): add min-release-age=3 to .npmrc#152
ms-bot wants to merge 1 commit into
masterfrom
mobsuccessbot/npmrc-min-release-age

Conversation

@ms-bot

@ms-bot ms-bot commented May 21, 2026

Copy link
Copy Markdown
Contributor

Why is this needed?

This pull request has been created by a robot to add supply chain protection.

Adding min-release-age=3 to .npmrc prevents npm from installing packages published less than 3 days ago, protecting against attacks like the TanStack compromise (May 2026).

Requires npm ≥ 11.10 — already enforced by the generated npm.yml workflow.

@ms-bot ms-bot added the mobsuccessbot Pull requests that enforce company policies label May 21, 2026
@ms-bot ms-bot force-pushed the mobsuccessbot/npmrc-min-release-age branch from 1b600a8 to 34986c1 Compare July 3, 2026 12:53
Copilot AI review requested due to automatic review settings July 3, 2026 12:53

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an npm configuration setting intended to reduce supply-chain risk by preventing installation of very recently published packages.

Changes:

  • Introduces min-release-age=3 in .npmrc to require packages be at least 3 days old before install.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .npmrc
@@ -0,0 +1 @@
min-release-age=3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

mobsuccessbot Pull requests that enforce company policies

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants