Skip to content

chore(deps): pin dependencies to versions at least 7 days old#1598

Open
RaananW wants to merge 3 commits into
masterfrom
deps-7day-policy
Open

chore(deps): pin dependencies to versions at least 7 days old#1598
RaananW wants to merge 3 commits into
masterfrom
deps-7day-policy

Conversation

@RaananW

@RaananW RaananW commented Jul 10, 2026

Copy link
Copy Markdown
Member

What

Enforces the new company-wide policy that npm dependencies must be at least 7 days old, and makes it automatic going forward.

1. Repin too-new locked versions

Four packages were resolved to versions published only 1–2 days ago; each is pinned back to the newest version published on or before the 7-day cutoff (2026-07-03), still satisfying its existing semver ranges.

Package Was Now Published
baseline-browser-mapping 2.10.42 2.10.41 Jul 2
electron-to-chromium 1.5.387 1.5.385 Jul 2
tsx 4.23.0 4.22.5 Jul 2
webpack 5.108.4 5.108.3 Jun 29

2. Enforce the policy going forward

  • .npmrc: min-release-age=7 — npm will only install versions public for ≥ 7 days (npm 11.10.0+ feature; older npm silently ignores it).
  • .npmrc: engine-strict=true — enforce the engines requirement below.
  • package.json engines.npm: >=11.10.0, since older npm ignores min-release-age.

How

  • Scanned all 981 unique name@version entries in package-lock.json against npm registry publish times.
  • Repinned the 4 too-new entries (version + resolved + integrity), then ran npm install --package-lock-only to reconcile (no sub-dependency changes, 0 vulnerabilities).
  • Re-scanned: 0 packages remain under 7 days old.

Note: engine-strict=true means npm install now fails on npm < 11.10.0. Developers/CI must be on npm ≥ 11.10.0.

Downgrade four transitive/direct deps whose locked versions were
published less than 7 days ago to the newest versions published on or
before the 7-day cutoff, per company policy:

- baseline-browser-mapping 2.10.42 -> 2.10.41
- electron-to-chromium 1.5.387 -> 1.5.385
- tsx 4.23.0 -> 4.22.5
- webpack 5.108.4 -> 5.108.3

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@bjsplat

bjsplat commented Jul 10, 2026

Copy link
Copy Markdown

RaananW and others added 2 commits July 10, 2026 16:11
Add an .npmrc with min-release-age=7 so npm only installs package
versions published at least 7 days ago (npm 11.10.0+ feature), and
engine-strict=true to enforce the engines requirement. Require
npm >= 11.10.0 in package.json engines, since older npm silently
ignores min-release-age.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
npm ci was failing with EBADENGINE because Node 22.x ships npm 10.x,
below the engines requirement (npm >= 11.10.0) needed for the
min-release-age dependency-cooldown policy. Node 24.x bundles
npm 11.16+, satisfying the requirement.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@bjsplat

bjsplat commented Jul 10, 2026

Copy link
Copy Markdown

@RaananW RaananW enabled auto-merge (squash) July 10, 2026 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants