feat: release-age cooldown (minimumReleaseAge)#87
Open
donfear wants to merge 1 commit into
Open
Conversation
Versions published more recently than a configurable window are not offered as upgrade targets — in the TUI, in reports, and in --apply. Freshly published versions are the most likely to be a compromised release nobody has caught yet; this is the same supply-chain guard as pnpm's minimumReleaseAge (same name, same unit: minutes), which this repo already applies to itself. - --minimum-release-age <minutes> CLI flag; .inuprc keys minimumReleaseAge + minimumReleaseAgeExclude (glob patterns, like ignore). CLI wins over config. - Publish times only exist in the FULL packument, so the policy opts the fetch out of the abbreviated install-v1 format; ETag cache keys gain a #full variant so a 304 can never revive the wrong format. - The gate is applied at resolve time (not baked into cached data), so versions maturing past the window reappear without a cache change. - When the true latest is gated, its deprecation/engines signals are dropped rather than misattributed; if every version is too young the installed version becomes the effective latest (nothing to offer). - Registries without time data degrade to a no-op.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the top 'Next' item from the audit roadmap: a supply-chain cooldown that refuses to offer versions published more recently than a configurable window. Freshly published versions are the ones most likely to be a compromised release nobody has caught yet — this is the same guard as pnpm's
minimumReleaseAge(same name, same unit: minutes), which this repo already applies to itself inpnpm-workspace.yaml.Usage
inup --minimum-release-age 10080 # ignore versions younger than 7 daysor in
.inuprc(CLI wins over config; exclusions support the same globs asignore):{ "minimumReleaseAge": 10080, "minimumReleaseAgeExclude": ["@myco/*"] }The gate applies everywhere version targets are computed (detector level), so the TUI,
--json/--checkreports, and--applyall respect it.Design notes
application/json— only when enabled, so default runs keep the small payloads. ETag cache keys get a#fullvariant so a 304 can never revive a body of the wrong format.timedegrade to a no-op; missing/unparsable timestamps keep the version visible.Verification
semver: ~7.5.0: no cooldown → latest7.8.5;--minimum-release-age 1576800(3 years) → effective latest7.5.3.Follow-ups (deliberately out of scope):
released Nd agobadge in the TUI, aminimum-release-ageinput on the GitHub Action.