chore: add .npmrc with supply chain protection#243
Merged
zainfathoni merged 1 commit intomainfrom Apr 1, 2026
Merged
Conversation
- save-exact=true: pin exact versions instead of semver ranges - min-release-age=7: quarantine newly published packages for 7 days Ref: axios supply chain attack (axios@1.14.1 / plain-crypto-js@4.2.1)
![kodiakhq[bot]](https://avatars.githubusercontent.com/in/29196?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
.npmrcwith supply chain protection settings:save-exact=true— pin exact versions instead of semver ranges (^x.y.z)min-release-age=7— quarantine newly published packages for 7 daysWhy
In response to the axios supply chain attack (2026-03-31), where a compromised
axios@1.14.1pulled in maliciousplain-crypto-js@4.2.1published minutes before.Note
npm 11 shows a warning about
min-release-agebeing unknown — this config may not be enforced until npm 12. A separate migration to pnpm is tracked in #242, which has full support for this feature (minimum-release-agein minutes).Impact
save-exactworks immediatelymin-release-agewill take effect once npm fully supports it (or after pnpm migration)