chore: enforce 7-day minimum release age for supply chain hardening#550
Merged
backnotprop merged 3 commits intomainfrom Apr 13, 2026
Merged
chore: enforce 7-day minimum release age for supply chain hardening#550backnotprop merged 3 commits intomainfrom
backnotprop merged 3 commits intomainfrom
Conversation
This was referenced Apr 13, 2026
Add age gating at two layers: - Renovate: minimumReleaseAge + internalChecksFilter prevent PRs for GitHub Actions versions younger than 7 days - Bun: minimumReleaseAge in bunfig.toml blocks bun install/update from resolving npm packages published less than 7 days ago Motivated by the Bun 1.3.12 codesign regression (#541) — Renovate opened #548 two days after the broken release, which would have reintroduced the exact bug we hotfixed in v0.17.9. A 7-day hold also mitigates supply chain attacks (e.g., Axios compromise) where malicious packages are typically caught within hours but naive installs pull them immediately. For provenance purposes, this commit was AI assisted.
…e gate Bumped after supply chain audit (maintainer verification, tarball diff, age check): - diff 8.0.3 → 8.0.4 - @anthropic-ai/claude-agent-sdk 0.2.86 → 0.2.92 - @openai/codex-sdk 0.116.0 → 0.118.0 - marked 17.0.5 → 17.0.6 - @types/node 25.5.0 → 25.5.2 Deferred @opencode-ai/sdk 1.3.5 → 1.3.15 (new cross-spawn runtime dep, server spawning changes need integration testing). Added @pierre/diffs to minimumReleaseAgeExcludes — current ^1.1.12 specifier can't resolve under the 7-day gate since 1.1.12 is only 6 days old, which would break fresh installs and CI. For provenance purposes, this commit was AI assisted.
User-invocable only (/update-deps) — spawns parallel Sonnet sub-agents to verify maintainers, publish age, tarball diffs, and provenance for each outdated package. Safe packages get bumped, risky ones are deferred to ~/.supply-chain/notes/ with review-by dates. Recap includes previously deferred packages that still haven't been updated. For provenance purposes, this commit was AI assisted.
01dd9eb to
28af701
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
minimumReleaseAge: "7 days"+internalChecksFilter: "strict"to Renovate config — PRs for GitHub Actions versions younger than 7 days won't be createdminimumReleaseAge = 604800tobunfig.toml—bun install/bun updatewon't resolve npm packages published less than 7 days agoMotivation
The Bun 1.3.12 codesign regression (#541) exposed a gap: Renovate opened #548 just 2 days after the broken Bun release, which would have reintroduced the exact bug we hotfixed in v0.17.9. A 7-day hold period at both layers (CI dependency updates and local package resolution) provides a buffer for regressions and supply chain attacks to surface before they reach our toolchain.
Test plan
bun installwith a freshly published package respects the age gate