Skip to content

chore: add .npmrc with supply chain protection #244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wheeljackz wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: add .npmrc with supply chain protection #244

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .npmrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Supply chain protection
Copy link
Copy Markdown
Collaborator Author

@wheeljackz wheeljackz Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we do move the repo to npm 11.10+ for supply-chain hardening, I’d consider adding allow-git=none here in the same pass. npm’s own install docs recommend it because git dependencies can override the git executable via nested .npmrc files, and I couldn’t find any git-based deps in package.json or package-lock.json, so it looks like a safe default for this project.

# - save-exact: pin to exact versions instead of semver ranges
# - min-release-age: quarantine newly published packages for 7 days
# (blocks typosquatting & fast-publish supply chain attacks like axios@1.14.1)
save-exact=true
Copy link
Copy Markdown
Collaborator Author

@wheeljackz wheeljackz Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small but important scope gap: save-exact=true only changes how future npm install/add commands write new entries. It does not pin the dependencies already in package.json, and this repo still has many ^ ranges checked in. That means the comment above overstates the current protection level. Could we either normalize the existing dependency ranges in this PR/follow-up, or reword the comment/PR description to say this only affects newly added packages?

min-release-age=7
Copy link
Copy Markdown
Collaborator Author

@wheeljackz wheeljackz Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

min-release-age looks like the right control, but it is not effective on the current toolchain used here yet. In this checkout, npm --version is 11.8.0, and npm warns Unknown ... config "min-release-age"; npm's own rollout notes say this feature landed in CLI 11.10.0+. As written, the PR message says we are quarantining new packages, but today's CI/dev installs will silently ignore this line. I would either pin npm to >=11.10.0 (for example via Volta plus CI setup) or avoid claiming this protection is active yet.

Copy link
Copy Markdown
Collaborator Author

@wheeljackz wheeljackz Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

min-release-age was added in npm CLI 11.10.0. This repo still pins Node 24.1.0 via Volta, and Node 24.1.0 ships npm 11.3.0, so contributors on the documented toolchain will get Unknown project config "min-release-age" before install. I’d either bump the baseline Node/npm version first, or hold this setting until the repo standard is on npm 11.10+.

Copy link
Copy Markdown
Owner

@zainfathoni zainfathoni Apr 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this enables the protection yet. The release-age gate was added in npm CLI 11.10.0+, but the repo currently pins node 24.1.0 in package.json and my local npm here is 11.8.0, which warns Unknown project config "min-release-age" when reading this file. In that toolchain the install still proceeds without the intended guardrail, so we probably need to pin/upgrade npm first (or defer this until the repo guarantees an npm version that supports it).

Loading