Skip to content

chore: Enforce Node supply chain protections#21

Open
quant-ranger[bot] wants to merge 1 commit into
mainfrom
node-dependency-cooldown-fixes
Open

chore: Enforce Node supply chain protections#21
quant-ranger[bot] wants to merge 1 commit into
mainfrom
node-dependency-cooldown-fixes

Conversation

@quant-ranger

@quant-ranger quant-ranger Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

This PR sets a minimum dependency release age and blocks exotic subdependencies in the configurations of bun, pnpm and npm.

Via those options we delay installing freshly published versions of packages that may have been compromised as part of a supply chain attack.
Exotic subdependencies could hide malicious code, so we block them entirely in pnpm.

Packages within the @quantco scope are explicitly excluded from these measures.

If you run into any problems, feel free to ping Jakob Klaushofer (@JakobKlaushoferQC) or Yannik Tausch (@ytausch).

X-Quant-Ranger: node-dependency-cooldown
@quant-ranger quant-ranger Bot requested a review from a team as a code owner July 13, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants