Skip to content

feat: security update pnpm#87

Open
WybeBosch wants to merge 2 commits intomainfrom
feat/security-update-pnpm
Open

feat: security update pnpm#87
WybeBosch wants to merge 2 commits intomainfrom
feat/security-update-pnpm

Conversation

@WybeBosch
Copy link
Copy Markdown
Contributor

@WybeBosch WybeBosch commented Mar 31, 2026
edited
Loading

Wat is er veranderd

.npmrc krijgt een paar security instellingen om het risico op supply chain aanvallen te verkleinen.

Waarom

Er was recent een aanval op het axios npm pakket waarbij compromised versies een Remote Access Trojan installeerden:
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

Op HackerNews kwam een goede tip voorbij:
https://news.ycombinator.com/item?id=47582632

SA: npm/bun/pnpm/uv now all support setting a minimum release age for packages.
I also have ignore-scripts=true in my ~/.npmrc. Based on the analysis, that alone would have mitigated the vulnerability. bun and pnpm do not execute lifecycle scripts by default.

Here's how to set global configs to set min release age to 7 days:

~/.config/uv/uv.toml
exclude-newer = "7 days"

~/.npmrc
min-release-age=7 # days
ignore-scripts=true

~/Library/Preferences/pnpm/rc
minimum-release-age=10080 # minutes

~/.bunfig.toml
[install]
minimumReleaseAge = 604800 # seconds

Met een minimum release age blokkeer je pakketten die net gepubliceerd zijn. Hiermee voorkom je dat jij toevallig net pnpm update draait, terwijl 30 minuten geleden een package gehackt is. Als een breach niet binnen 7 dagen ontdekt word, hebben we een groter probleem haha :P

Gecombineerd met ignore-scripts=true haal je al een hoop risico weg.

@WybeBosch WybeBosch requested review from a team as code owners March 31, 2026 11:56
@WybeBosch WybeBosch added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 31, 2026
@WybeBosch WybeBosch force-pushed the feat/security-update-pnpm branch from 9e67f0b to 3333e10 Compare March 31, 2026 12:00
@WybeBosch WybeBosch self-assigned this Mar 31, 2026
Rovasch
Rovasch reviewed Mar 31, 2026
View reviewed changes
.npmrc Outdated
minimum-release-age=10080

# Prevent running scripts during installation to avoid potential security risks
ignore-scripts=true
Copy link
Copy Markdown
Contributor

@Rovasch Rovasch Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Volgens mij is die ignore-scripts niet per se nodig, gezien de postinstall al geblokt is, weet niet of er eigen scripts runnen, die block je nu ook.

https://pnpm.io/supply-chain-security

Copy link
Copy Markdown
Contributor Author

@WybeBosch WybeBosch Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

U are right, ik heb hem weg gehaald :D voor pnpm is dat al beter.

Wel nog voor npm nodig. maargoed brave is geen npm meer

This was referenced Mar 31, 2026
Open
Open
Open
Open
@WybeBosch WybeBosch force-pushed the feat/security-update-pnpm branch from 9f583bd to 2a35e2a Compare March 31, 2026 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SimonvanWijhe SimonvanWijhe SimonvanWijhe approved these changes

@YvetteNikolov YvetteNikolov YvetteNikolov approved these changes

@Rovasch Rovasch Rovasch approved these changes

@ShunLuk ShunLuk Awaiting requested review from ShunLuk ShunLuk is a code owner automatically assigned from yardinternet/wordpress-backend

@dtakken dtakken Awaiting requested review from dtakken dtakken is a code owner automatically assigned from yardinternet/wordpress-backend

@mvdhoek1 mvdhoek1 Awaiting requested review from mvdhoek1 mvdhoek1 is a code owner automatically assigned from yardinternet/wordpress-backend

@ictbeheer ictbeheer Awaiting requested review from ictbeheer ictbeheer is a code owner automatically assigned from yardinternet/wordpress-backend

@rivanuff rivanuff Awaiting requested review from rivanuff rivanuff is a code owner automatically assigned from yardinternet/wordpress-backend

@Yannicvanveen Yannicvanveen Awaiting requested review from Yannicvanveen Yannicvanveen is a code owner automatically assigned from yardinternet/wordpress-frontend

@laravdiemen laravdiemen Awaiting requested review from laravdiemen laravdiemen is a code owner automatically assigned from yardinternet/wordpress-frontend

@JasperS20 JasperS20 Awaiting requested review from JasperS20 JasperS20 is a code owner automatically assigned from yardinternet/wordpress-frontend

@FreakyWizard FreakyWizard Awaiting requested review from FreakyWizard FreakyWizard is a code owner automatically assigned from yardinternet/wordpress-frontend

Assignees

@WybeBosch WybeBosch

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@WybeBosch @SimonvanWijhe @YvetteNikolov @Rovasch