Thanks to visit codestin.com
Credit goes to github.com

Skip to content

enable minimumReleaseAge #3072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

enable minimumReleaseAge #3072

wants to merge 3 commits into from

Conversation

alan-agius4
Copy link
Contributor

See each commit.

@angular-robot angular-robot bot added the area: build & ci Related the build and CI infrastructure of the project label Sep 17, 2025
@alan-agius4 alan-agius4 force-pushed the min-release-age branch 3 times, most recently from 7832207 to 5965c50 Compare September 17, 2025 11:57
devversion
devversion reviewed Sep 17, 2025
View reviewed changes
@alan-agius4
build: enable minimumReleaseAge to mitigate dependency chain attacks
b561ac9 
This change configures pnpm's `minimumReleaseAge` setting to 1 day (1440 minutes). This is a security measure to mitigate dependency chain attacks, where malicious actors publish a new version of a dependency with malicious code and then trick users into updating to it before it can be discovered and reported.

By delaying the adoption of new releases, we reduce the window of opportunity for such attacks. The list of excluded packages contains trusted and frequently updated dependencies from the Angular team, which are considered safe to use without this delay.
@alan-agius4
ci: add minimumReleaseAge to Renovate config
3a4aa45 
This change introduces a 1-day delay for all npm dependency updates to mitigate the risk of dependency chain attacks. This provides a window to detect and react to malicious publications.

The cross-repo Angular dependencies are excluded from this rule as they are trusted sources.
@alan-agius4 alan-agius4 added the action: merge The PR is ready for merge by the caretaker label Sep 17, 2025
@alan-agius4
Copy link
Contributor Author

This PR was merged into the repository. The changes were merged into the following branches:

alan-agius4 added a commit that referenced this pull request Sep 17, 2025
@alan-agius4
ci: add minimumReleaseAge to Renovate config (#3072)
470e655 
This change introduces a 1-day delay for all npm dependency updates to mitigate the risk of dependency chain attacks. This provides a window to detect and react to malicious publications.

The cross-repo Angular dependencies are excluded from this rule as they are trusted sources.

PR Close #3072
@alan-agius4 alan-agius4 deleted the min-release-age branch September 17, 2025 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@devversion devversion devversion approved these changes

Assignees
No one assigned
Labels
action: merge The PR is ready for merge by the caretaker area: build & ci Related the build and CI infrastructure of the project
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alan-agius4 @devversion