From 1120bb201837fbac1b0928955b29967597a29b71 Mon Sep 17 00:00:00 2001 From: jbranchaud Date: Tue, 31 Mar 2026 11:33:13 -0500 Subject: [PATCH] Add Avoid Vulnerabilities In New Package Versions as a PNPM TIL --- README.md | 3 +- ...vulnerabilities-in-new-package-versions.md | 29 +++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 pnpm/avoid-vulnerabilities-in-new-package-versions.md diff --git a/README.md b/README.md index 768da38..7df2ff4 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ working across different projects via [VisualMode](https://www.visualmode.dev/). For a steady stream of TILs, [sign up for my newsletter](https://visualmode.kit.com/newsletter). -_1770 TILs and counting..._ +_1771 TILs and counting..._ See some of the other learning resources I work on: @@ -847,6 +847,7 @@ If you've learned something here, support my efforts writing daily TILs by ### pnpm +- [Avoid Vulnerabilities In New Package Versions](pnpm/avoid-vulnerabilities-in-new-package-versions.md) - [Execute A Command From The Workspace Root](pnpm/execute-a-command-from-the-workspace-root.md) - [Install Command Runs For Entire Workspace](pnpm/install-command-runs-for-entire-workspace.md) - [List The Installed Version Of A Specific Package](pnpm/list-the-installed-version-of-a-specific-package.md) diff --git a/pnpm/avoid-vulnerabilities-in-new-package-versions.md b/pnpm/avoid-vulnerabilities-in-new-package-versions.md new file mode 100644 index 0000000..460a0c1 --- /dev/null +++ b/pnpm/avoid-vulnerabilities-in-new-package-versions.md @@ -0,0 +1,29 @@ +# Avoid Vulnerabilities In New Package Versions + +It seems like every week there is a new supply chain attack where malicious code +is embedded in a popular, widely-used OSS package. This week's is +[axios](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan). + +The [`pnpm` package manager](https://pnpm.io/) has a nice feature that helps +avoid installing these vulnerable package versions in the first place. + +> To reduce the risk of installing compromised packages, you can delay the +> installation of newly published versions. In most cases, malicious releases +> are discovered and removed from the registry within an hour. + +The [`minimumReleaseAge` config option](https://pnpm.io/settings#minimumreleaseage) tells `pnpm` to not install +a dependency (including transitive ones) until it has been released for at least +that many minutes. + +For instance, if you wanted to set this to 72 hours, then you'd set this option +to `4320` minutes like so: + +``` +$ pnpm config set minimum-release-age 4320 -g +``` + +The global flag (`-g`) will set that in your global config location, e.g. +`$XDG_CONFIG_HOME/pnpm/rc`. You could also add it specifically to your project +in the `pnpm-workspace.yaml` file. + +[source](https://bsky.app/profile/styfle.dev/post/3miekuyeyrs2w)