Add 2 day wait period for dependencies#164
Conversation
jdmarshall
force-pushed
the
security
branch
2 times, most recently
from
bd3b669 to
175d318
Compare
A delay of one or more days is recommended for supply chain attack prevention.
|
Hmmm. Why is 22 failing? |
|
It could be caused by a update in the V8 on V22 since the benchmark that is failing is |
There was a problem hiding this comment.
We can add more configs, such as trust level.
There was a problem hiding this comment.
trustPolicy: no-downgrade
minimumReleaseAge: 2880 # 2d
minimumReleaseAgeStrict: true
blockExoticSubdeps: true
There was a problem hiding this comment.
Aren't those pnpm flags?
Also why the fuck did npm change the units for minimumReleaseAge? The internet tried to get me to use 1440 days and I had to force push a change.
There was a problem hiding this comment.
O.o, I swear we were already using pnpm here, I did so many migrations that I only thought this was a feature only for pnpm 😆
Looks like the npm does not have trust factor or block exotic subdeps :/
There was a problem hiding this comment.
If nodejs has a dumpster fire, it's not express, it's npm.
npm warn Unknown project config "minimumReleaseAge". This will stop working in the next major version of npm.
On node 24. wtaf
[Ben_Affleck_Smoking.gif]
2 participants
A delay of one or more days is recommended for supply chain attack prevention.