mirror of
https://github.com/jbranchaud/til
synced 2026-07-03 08:08:24 +00:00
Add Avoid Vulnerabilities In New Package Versions as a PNPM TIL
This commit is contained in:
@@ -10,7 +10,7 @@ working across different projects via [VisualMode](https://www.visualmode.dev/).
|
||||
|
||||
For a steady stream of TILs, [sign up for my newsletter](https://visualmode.kit.com/newsletter).
|
||||
|
||||
_1770 TILs and counting..._
|
||||
_1771 TILs and counting..._
|
||||
|
||||
See some of the other learning resources I work on:
|
||||
|
||||
@@ -847,6 +847,7 @@ If you've learned something here, support my efforts writing daily TILs by
|
||||
|
||||
### pnpm
|
||||
|
||||
- [Avoid Vulnerabilities In New Package Versions](pnpm/avoid-vulnerabilities-in-new-package-versions.md)
|
||||
- [Execute A Command From The Workspace Root](pnpm/execute-a-command-from-the-workspace-root.md)
|
||||
- [Install Command Runs For Entire Workspace](pnpm/install-command-runs-for-entire-workspace.md)
|
||||
- [List The Installed Version Of A Specific Package](pnpm/list-the-installed-version-of-a-specific-package.md)
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
# Avoid Vulnerabilities In New Package Versions
|
||||
|
||||
It seems like every week there is a new supply chain attack where malicious code
|
||||
is embedded in a popular, widely-used OSS package. This week's is
|
||||
[axios](https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan).
|
||||
|
||||
The [`pnpm` package manager](https://pnpm.io/) has a nice feature that helps
|
||||
avoid installing these vulnerable package versions in the first place.
|
||||
|
||||
> To reduce the risk of installing compromised packages, you can delay the
|
||||
> installation of newly published versions. In most cases, malicious releases
|
||||
> are discovered and removed from the registry within an hour.
|
||||
|
||||
The [`minimumReleaseAge` config option](https://pnpm.io/settings#minimumreleaseage) tells `pnpm` to not install
|
||||
a dependency (including transitive ones) until it has been released for at least
|
||||
that many minutes.
|
||||
|
||||
For instance, if you wanted to set this to 72 hours, then you'd set this option
|
||||
to `4320` minutes like so:
|
||||
|
||||
```
|
||||
$ pnpm config set minimum-release-age 4320 -g
|
||||
```
|
||||
|
||||
The global flag (`-g`) will set that in your global config location, e.g.
|
||||
`$XDG_CONFIG_HOME/pnpm/rc`. You could also add it specifically to your project
|
||||
in the `pnpm-workspace.yaml` file.
|
||||
|
||||
[source](https://bsky.app/profile/styfle.dev/post/3miekuyeyrs2w)
|
||||
Reference in New Issue
Block a user