feat(repo): add 7-day cooldown period for npm package releases#886
Merged
feat(repo): add 7-day cooldown period for npm package releases#886
Conversation
Set npmMinimalAgeGate to 7d in .yarnrc.yml to block installation of packages published within the last 7 days. Set minimumReleaseAge to "7 days" and internalChecksFilter to "strict" in renovate.json to prevent PR/branch creation until the age requirement is met. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add osvVulnerabilityAlerts and vulnerabilityAlerts.minimumReleaseAge: null to ensure security vulnerability updates are not blocked by the 7-day cooldown period. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add npmMinimalAgeGate: 7d to scaffold .yarnrc.yml so that projects created with create-frontend also block installation of packages published within the last 7 days. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
YusukeHirao
approved these changes
Apr 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
npmサプライチェーン攻撃対策として、公開から 7日未満 のパッケージをインストール・更新対象から除外するクールダウン期間を設定します。
.yarnrc.ymlにnpmMinimalAgeGate: 7dを追加(Yarn 4.10.0+)packages/@d-zero/scaffold/.yarnrc.ymlにも同様に追加(create-frontend で生成されるプロジェクトにも適用).github/renovate.jsonにminimumReleaseAge: "7 days"およびinternalChecksFilter: "strict"を追加なぜ7日なのか
悪意あるパッケージの多くは公開から数時間〜数日以内に検出・削除されます。公開直後の短期間をブロックするだけで高い防御効果が得られます。
3日(Renovate の
config:best-practicesデフォルト)では防御期間として短く、14日以上は開発速度への影響が大きくなるため、7日を採用しています。Andrew Nesbitt も7日間のクールダウンの有効性について言及しています(Package Managers Need to Cool Down)。参考資料
npmMinimalAgeGateconfiguration動作
yarn install時、公開7日未満のパッケージが含まれるとエラーで停止Warning
Yarn 側には緊急時のバイパス手段がありません。
セキュリティパッチなど公開直後のパッケージをどうしても即座にインストールする必要がある場合は、
.yarnrc.ymlのnpmMinimalAgeGateを一時的にコメントアウトして対応してください。対応後は必ず元に戻してください。