Skip to content

CMP-70 Enforce secure NPM dependency practices#124

Merged
ama-leanix merged 3 commits intomainfrom
feature/CMP-70-secure-npm-dependencies
Sep 22, 2025
Merged

CMP-70 Enforce secure NPM dependency practices#124
ama-leanix merged 3 commits intomainfrom
feature/CMP-70-secure-npm-dependencies

Conversation

@ama-leanix
Copy link
Contributor

@ama-leanix ama-leanix commented Sep 19, 2025
edited
Loading

Summary

This PR strengthens NPM dependency management to mitigate risks from recent supply-chain attacks.

Changes Introduced

  • Added .npmrc with save-exact=true to enforce exact dependency pinning.
  • Updated renovate.json with stronger security settings through leanix default preset:
    • Extended config:best-practices
    • Enforced internalChecksFilter: strict
    • Added rule requiring a minimum release age of 3 days for all NPM packages
    • Removed automerge for minor/patch updates to avoid premature dependency upgrades
  • Preserved existing settings (config:js-app, timezone, labels, concurrent PR limit).

Why

  • Prevents compromised packages from being automatically introduced.
  • Ensures Renovate PRs align with best practices and require review before merging.
  • Provides a safety buffer to detect malicious packages before adoption.

@ama-leanix
CMP-70 Enforce exact version pinning via .npmrc
4a29e1a
@ama-leanix
CMP-70 Harden renovate.json with best practices & stricter checks
78bc8b7 
- Removed automerge for minor/patch updates to avoid premature dependency upgrades.
- Added rule requiring a minimum release age of 3 days for all NPM packages and enforced internalChecksFilter: strict.
- Extended config:best-practices.
@ama-leanix ama-leanix self-assigned this Sep 19, 2025
@ama-leanix ama-leanix requested a review from a team as a code owner September 19, 2025 09:11
@ama-leanix ama-leanix requested review from CharariLeanIX, FlorianTopf, alexander-sap, dbogolyubov, psantos9 and reshailleanix and removed request for a team September 19, 2025 09:11
psantos9
psantos9 approved these changes Sep 22, 2025
View reviewed changes
Copy link
Contributor

@psantos9 psantos9 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ama-leanix ama-leanix merged commit 7f222d6 into main Sep 22, 2025
2 checks passed
@ama-leanix ama-leanix deleted the feature/CMP-70-secure-npm-dependencies branch September 22, 2025 11:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@psantos9 psantos9 psantos9 approved these changes

@FlorianTopf FlorianTopf Awaiting requested review from FlorianTopf FlorianTopf was automatically assigned from leanix/team-atlantis

@alexander-sap alexander-sap Awaiting requested review from alexander-sap alexander-sap was automatically assigned from leanix/team-atlantis

@CharariLeanIX CharariLeanIX Awaiting requested review from CharariLeanIX CharariLeanIX was automatically assigned from leanix/team-atlantis

@reshailleanix reshailleanix Awaiting requested review from reshailleanix reshailleanix was automatically assigned from leanix/team-atlantis

@dbogolyubov dbogolyubov Awaiting requested review from dbogolyubov dbogolyubov was automatically assigned from leanix/team-atlantis

Assignees

@ama-leanix ama-leanix

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ama-leanix @psantos9