Skip to content

Commit 3f6020b

Browse files
alan-agius4devversion
alan-agius4
authored and
devversion
committed
build: enable minimumReleaseAge to mitigate dependency chain attacks (#31880)
This change configures pnpm's `minimumReleaseAge` setting to 1 day (1440 minutes). This is a security measure to mitigate dependency chain attacks, where malicious actors publish a new version of a dependency with malicious code and then trick users into updating to it before it can be discovered and reported. By delaying the adoption of new releases, we reduce the window of opportunity for such attacks. The list of excluded packages contains trusted and frequently updated dependencies from the Angular team, which are considered safe to use without this delay. (cherry picked from commit d6b459d)
1 parent e7a0c19 commit 3f6020b

File tree

5 files changed

+149
-1
lines changed

5 files changed

+149
-1
lines changed

integration/harness-e2e-cli/pnpm-workspace.yaml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
2+
# The minimum age of a release to be considered for dependency installation.
3+
# The value is in minutes (1440 minutes = 1 day).
4+
minimumReleaseAge: 1440
5+
# List of packages to exclude from the minimum release age check.
6+
# Wildcards are not yet supported: https://github.com/pnpm/pnpm/issues/9983
7+
minimumReleaseAgeExclude:
8+
- '@angular-devkit/architect'
9+
- '@angular-devkit/build-angular'
10+
- '@angular-devkit/build-webpack'
11+
- '@angular-devkit/core'
12+
- '@angular-devkit/schematics-cli'
13+
- '@angular-devkit/schematics'
14+
- '@angular-devkit/architect-cli'
15+
- '@angular-devkit/architect'
16+
- '@angular/animations'
17+
- '@angular/benchpress'
18+
- '@angular/cdk'
19+
- '@angular/ng-dev'
20+
- '@angular/cli'
21+
- '@angular/ssr'
22+
- '@angular/common'
23+
- '@angular/compiler-cli'
24+
- '@angular/compiler'
25+
- '@angular/core'
26+
- '@angular/forms'
27+
- '@angular/language-service'
28+
- '@angular/localize'
29+
- '@angular/material'
30+
- '@angular/material-moment-adapter'
31+
- '@angular/platform-browser-dynamic'
32+
- '@angular/platform-browser'
33+
- '@angular/platform-server'
34+
- '@angular/router'
35+
- '@angular/service-worker'
36+
- '@ngtools/webpack'
37+
- '@schematics/angular'

integration/ng-add-standalone/pnpm-workspace.yaml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
2+
# The minimum age of a release to be considered for dependency installation.
3+
# The value is in minutes (1440 minutes = 1 day).
4+
minimumReleaseAge: 1440
5+
# List of packages to exclude from the minimum release age check.
6+
# Wildcards are not yet supported: https://github.com/pnpm/pnpm/issues/9983
7+
minimumReleaseAgeExclude:
8+
- '@angular-devkit/architect'
9+
- '@angular-devkit/build-angular'
10+
- '@angular-devkit/build-webpack'
11+
- '@angular-devkit/core'
12+
- '@angular-devkit/schematics-cli'
13+
- '@angular-devkit/schematics'
14+
- '@angular-devkit/architect-cli'
15+
- '@angular-devkit/architect'
16+
- '@angular/animations'
17+
- '@angular/benchpress'
18+
- '@angular/cdk'
19+
- '@angular/ng-dev'
20+
- '@angular/cli'
21+
- '@angular/ssr'
22+
- '@angular/common'
23+
- '@angular/compiler-cli'
24+
- '@angular/compiler'
25+
- '@angular/core'
26+
- '@angular/forms'
27+
- '@angular/language-service'
28+
- '@angular/localize'
29+
- '@angular/material'
30+
- '@angular/material-moment-adapter'
31+
- '@angular/platform-browser-dynamic'
32+
- '@angular/platform-browser'
33+
- '@angular/platform-server'
34+
- '@angular/router'
35+
- '@angular/service-worker'
36+
- '@ngtools/webpack'
37+
- '@schematics/angular'

integration/ng-add/pnpm-workspace.yaml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
2+
# The minimum age of a release to be considered for dependency installation.
3+
# The value is in minutes (1440 minutes = 1 day).
4+
minimumReleaseAge: 1440
5+
# List of packages to exclude from the minimum release age check.
6+
# Wildcards are not yet supported: https://github.com/pnpm/pnpm/issues/9983
7+
minimumReleaseAgeExclude:
8+
- '@angular-devkit/architect'
9+
- '@angular-devkit/build-angular'
10+
- '@angular-devkit/build-webpack'
11+
- '@angular-devkit/core'
12+
- '@angular-devkit/schematics-cli'
13+
- '@angular-devkit/schematics'
14+
- '@angular-devkit/architect-cli'
15+
- '@angular-devkit/architect'
16+
- '@angular/animations'
17+
- '@angular/benchpress'
18+
- '@angular/cdk'
19+
- '@angular/ng-dev'
20+
- '@angular/cli'
21+
- '@angular/ssr'
22+
- '@angular/common'
23+
- '@angular/compiler-cli'
24+
- '@angular/compiler'
25+
- '@angular/core'
26+
- '@angular/forms'
27+
- '@angular/language-service'
28+
- '@angular/localize'
29+
- '@angular/material'
30+
- '@angular/material-moment-adapter'
31+
- '@angular/platform-browser-dynamic'
32+
- '@angular/platform-browser'
33+
- '@angular/platform-server'
34+
- '@angular/router'
35+
- '@angular/service-worker'
36+
- '@ngtools/webpack'
37+
- '@schematics/angular'

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
"engines": {
1313
"npm": "Please use pnpm instead of NPM to install dependencies",
1414
"yarn": "Please use pnpm instead of Yarn to install dependencies",
15-
"pnpm": "^10.0.0"
15+
"pnpm": "10.16.1"
1616
},
1717
"scripts": {
1818
"ng-dev": "node --no-warnings=ExperimentalWarning --loader ts-node/esm/transpile-only node_modules/@angular/ng-dev/bundles/cli.mjs",

pnpm-workspace.yaml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,3 +36,40 @@ catalog:
3636
'@angular/router': 20.3.0
3737
'@schematics/angular': 20.3.1
3838
'rxjs': ^6.6.7
39+
40+
# The minimum age of a release to be considered for dependency installation.
41+
# The value is in minutes (1440 minutes = 1 day).
42+
minimumReleaseAge: 1440
43+
# List of packages to exclude from the minimum release age check.
44+
# Wildcards are not yet supported: https://github.com/pnpm/pnpm/issues/9983
45+
minimumReleaseAgeExclude:
46+
- '@angular-devkit/architect'
47+
- '@angular-devkit/build-angular'
48+
- '@angular-devkit/build-webpack'
49+
- '@angular-devkit/core'
50+
- '@angular-devkit/schematics-cli'
51+
- '@angular-devkit/schematics'
52+
- '@angular-devkit/architect-cli'
53+
- '@angular-devkit/architect'
54+
- '@angular/animations'
55+
- '@angular/benchpress'
56+
- '@angular/cdk'
57+
- '@angular/ng-dev'
58+
- '@angular/cli'
59+
- '@angular/ssr'
60+
- '@angular/common'
61+
- '@angular/compiler-cli'
62+
- '@angular/compiler'
63+
- '@angular/core'
64+
- '@angular/forms'
65+
- '@angular/language-service'
66+
- '@angular/localize'
67+
- '@angular/material'
68+
- '@angular/material-moment-adapter'
69+
- '@angular/platform-browser-dynamic'
70+
- '@angular/platform-browser'
71+
- '@angular/platform-server'
72+
- '@angular/router'
73+
- '@angular/service-worker'
74+
- '@ngtools/webpack'
75+
- '@schematics/angular'

0 commit comments

Comments
 (0)