docs: add page about Mitigating supply chain attacks

zkochan · zkochan · commit eacba2905880 · 2025-09-16T09:36:33.000+02:00
diff --git a/blog/releases/10.14.md b/blog/releases/10.14.md
@@ -9,6 +9,8 @@ date: 2025-07-31
 
 Declare Node.js, Deno, or Bun in [`devEngines.runtime`](https://github.com/openjs-foundation/package-metadata-interoperability-collab-space/issues/15) (inside `package.json`) and let pnpm download and pin it automatically.
 
+<!-- truncate -->
+
 Usage example:
 
 ```json
diff --git a/blog/releases/10.15.md b/blog/releases/10.15.md
@@ -11,6 +11,8 @@ date: 2025-08-19
 
 Added the [`cleanupUnusedCatalogs`](/settings#cleanupunusedcatalogs) configuration. When set to `true`, pnpm will remove unused catalog entries during installation [#9793](https://github.com/pnpm/pnpm/pull/9793).
 
+<!-- truncate -->
+
 ### Config dependency improvement
 
 pnpm will now automatically load pnpmfiles from [config dependencies](/config-dependencies) that are named `@*/pnpm-plugin-*` [#9780](https://github.com/pnpm/pnpm/issues/9780).
diff --git a/blog/releases/10.16.md b/blog/releases/10.16.md
@@ -11,6 +11,8 @@ date: 2025-09-12
 
 There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new setting that delays the installation of newly released dependencies. In most cases, such attacks are discovered quickly and the malicious versions are removed from the registry within an hour.
 
+<!-- truncate -->
+
 The new setting is called [`minimumReleaseAge`]. It specifies the number of minutes that must pass after a version is published before pnpm will install it. For example, setting `minimumReleaseAge: 1440` ensures that only packages released at least one day ago can be installed.
 
 If you set `minimumReleaseAge` but need to disable this restriction for certain dependencies, you can list them under the [`minimumReleaseAgeExclude`] setting. For instance, with the following configuration pnpm will always install the latest version of webpack, regardless of its release time:
diff --git a/docs/supply-chain-security.md b/docs/supply-chain-security.md
@@ -0,0 +1,19 @@
+---
+id: supply-chain-security
+title: Mitigating supply chain attacks
+---
+
+Sometimes npm packages are compromised and published with malware. Luckily, there are companies like [Socket], [Snyk], and [Aikido] that detect these compromised packages early. The npm registry usually removes the affected versions within hours. However, there is always a window of time between when the malware is published and when it is detected, during which you could be exposed. Fortunately, there are some things you can do with pnpm to minimize the risks.
+
+Historically, most compromised packages have used `postinstall` scripts to run code immediately upon installation. To mitigate this, pnpm v10 disables the automatic execution of `postinstall` scripts in dependencies. Although there is a setting to re-enable them globally using [dangerouslyAllowAllBuilds], we recommend explicitly listing only trusted dependencies. This way, if a dependency did not require a build in the past, it won't suddenly run a malicious script if a compromised version is published. Still, we recommend being cautious when updating a trusted package that has a `postinstall` script, as [it might get compromised].
+
+Another way to reduce the risk of installing compromised packages is to delay updates to your dependencies. Since malware is usually detected quickly, delaying updates by 24 hours will most likely prevent you from installing a bad version. The [`minimumReleaseAge`] setting defines the minimum number of minutes that must pass after a version is published before pnpm will install it. For example, set it to `1440` to wait one day, or `10080` to wait one week before installing a new version.
+
+It goes without saying that you should always lock your dependencies with a lockfile. Commit your lockfile to your repository to avoid unexpected updates.
+
+[Socket]: https://socket.dev/
+[Snyk]: https://snyk.io
+[Aikido]: https://www.aikido.dev/
+[dangerouslyAllowAllBuilds]: settings.md#dangerouslyallowallbuilds
+[it might get compromised]: https://socket.dev/blog/nx-packages-compromised
+[minimumReleaseAge]: settings.md#minimumreleaseage
diff --git a/sidebars.json b/sidebars.json
@@ -119,6 +119,7 @@
     "Recipes": [
       "using-changesets",
       "continuous-integration",
+      "supply-chain-security",
       "typescript",
       "git",
       "docker",
diff --git a/versioned_sidebars/version-10.x-sidebars.json b/versioned_sidebars/version-10.x-sidebars.json
@@ -367,6 +367,10 @@
           "type": "doc",
           "id": "continuous-integration"
         },
+        {
+          "type": "doc",
+          "id": "supply-chain-security"
+        },
         {
           "type": "doc",
           "id": "typescript"
