Skip to content

fix(supply-chain): activate the minimumReleaseAge gate (hoist out of pnpm: key)#2973

Open
sturdy4days wants to merge 1 commit into
nanocoai:mainfrom
sturdy4days:fix/activate-minimum-release-age-gate
Open

fix(supply-chain): activate the minimumReleaseAge gate (hoist out of pnpm: key)#2973
sturdy4days wants to merge 1 commit into
nanocoai:mainfrom
sturdy4days:fix/activate-minimum-release-age-gate

Conversation

@sturdy4days

Copy link
Copy Markdown
Contributor

Type of Change

  • Fix - bug fix or security fix to source code

Description

What: Moves minimumReleaseAge: 4320 in pnpm-workspace.yaml from under a pnpm: key to the top level.

Why: pnpm reads a pnpm: config block only from package.json. In pnpm-workspace.yaml the setting must be declared at the top level; nested under a pnpm: key it is silently ignored, so the declared 3-day supply-chain release-age gate has been a no-op since it was added. New package versions were resolvable the moment they were published, with none of the intended soak time.

How tested: with pnpm 10.33.0, on this repo's workspace:

# nested under `pnpm:` (current main)
$ pnpm config get minimumReleaseAge
undefined

# top level (this PR)
$ pnpm config get minimumReleaseAge
4320

No behavior change beyond making the already-declared gate effective.

Distinct from #2749, which gates agent-requested npm installs at runtime; this restores the build-time dependency-resolution gate that the workspace already intends to enforce.

…`pnpm:` key)

pnpm reads a `pnpm:` config block only from package.json. In
pnpm-workspace.yaml the setting must be top-level; nested under `pnpm:` it is
silently ignored, so the declared 3-day supply-chain release-age gate has been a
no-op since it was introduced.

Verified with pnpm 10.33.0:
  nested (current)  -> `pnpm config get minimumReleaseAge` = undefined
  top-level (fixed) -> `pnpm config get minimumReleaseAge` = 4320

No behavior change beyond making the already-declared gate effective.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sturdy4days

Copy link
Copy Markdown
Contributor Author

@gavrielc @gabi-simons — when you have a chance, could one of you review this focused supply-chain configuration fix? The branch is mergeable and CI is green.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

follows-guidelines PR was created using the current contributing template PR: Fix Bug fix

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant