1
0
mirror of https://github.com/jbranchaud/til synced 2026-07-02 23:58:25 +00:00

Add Avoid Vulnerabilities In New Package Versions as a PNPM TIL

This commit is contained in:
jbranchaud
2026-03-31 11:33:13 -05:00
parent 906253b7dc
commit 1120bb2018
2 changed files with 31 additions and 1 deletions
+2 -1
View File
@@ -10,7 +10,7 @@ working across different projects via [VisualMode](https://www.visualmode.dev/).
For a steady stream of TILs, [sign up for my newsletter](https://visualmode.kit.com/newsletter).
_1770 TILs and counting..._
_1771 TILs and counting..._
See some of the other learning resources I work on:
@@ -847,6 +847,7 @@ If you've learned something here, support my efforts writing daily TILs by
### pnpm
- [Avoid Vulnerabilities In New Package Versions](pnpm/avoid-vulnerabilities-in-new-package-versions.md)
- [Execute A Command From The Workspace Root](pnpm/execute-a-command-from-the-workspace-root.md)
- [Install Command Runs For Entire Workspace](pnpm/install-command-runs-for-entire-workspace.md)
- [List The Installed Version Of A Specific Package](pnpm/list-the-installed-version-of-a-specific-package.md)
@@ -0,0 +1,29 @@
# Avoid Vulnerabilities In New Package Versions
It seems like every week there is a new supply chain attack where malicious code
is embedded in a popular, widely-used OSS package. This week's is
[axios](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan).
The [`pnpm` package manager](https://pnpm.io/) has a nice feature that helps
avoid installing these vulnerable package versions in the first place.
> To reduce the risk of installing compromised packages, you can delay the
> installation of newly published versions. In most cases, malicious releases
> are discovered and removed from the registry within an hour.
The [`minimumReleaseAge` config option](https://pnpm.io/settings#minimumreleaseage) tells `pnpm` to not install
a dependency (including transitive ones) until it has been released for at least
that many minutes.
For instance, if you wanted to set this to 72 hours, then you'd set this option
to `4320` minutes like so:
```
$ pnpm config set minimum-release-age 4320 -g
```
The global flag (`-g`) will set that in your global config location, e.g.
`$XDG_CONFIG_HOME/pnpm/rc`. You could also add it specifically to your project
in the `pnpm-workspace.yaml` file.
[source](https://bsky.app/profile/styfle.dev/post/3miekuyeyrs2w)