Skip to content

chore: Enforce Node supply chain protections#18

Open
quant-ranger[bot] wants to merge 1 commit into
mainfrom
node-dependency-cooldown-fixes
Open

chore: Enforce Node supply chain protections#18
quant-ranger[bot] wants to merge 1 commit into
mainfrom
node-dependency-cooldown-fixes

Conversation

@quant-ranger

@quant-ranger quant-ranger Bot commented Jul 13, 2026

Copy link
Copy Markdown

This PR sets a minimum dependency release age and blocks exotic subdependencies in the configurations of bun, pnpm and npm.

Via those options we delay installing freshly published versions of packages that may have been compromised as part of a supply chain attack.
Exotic subdependencies could hide malicious code, so we block them entirely in pnpm.

Packages within the @quantco scope are explicitly excluded from these measures.

If you run into any problems, feel free to ping Jakob Klaushofer (@JakobKlaushoferQC) or Yannik Tausch (@ytausch).

X-Quant-Ranger: node-dependency-cooldown
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant