Skip to content

Use cooldowns to reduce the risk of supply chain attacks#1465

Merged
zetter-rpf merged 3 commits into
mainfrom
dependency-update-management
May 14, 2026
Merged

Use cooldowns to reduce the risk of supply chain attacks#1465
zetter-rpf merged 3 commits into
mainfrom
dependency-update-management

Conversation

@zetter-rpf
Copy link
Copy Markdown
Contributor

@zetter-rpf zetter-rpf commented May 13, 2026
edited
Loading

Related to a similar change in editor-standalone: https://github.com/RaspberryPiFoundation/editor-standalone/pull/881

This does three things:

  • Set up dependabot so we get non-security updates to, will a cooldown
  • Add a cooldown to yarn using the npmMinimalAgeGate setting.
  • Make docker's use of yarn more consistent with other environments

See commits for more

zetter-rpf added 2 commits May 13, 2026 10:28
@zetter-rpf
Setup dependabot
5e7c996 
Without this file, we are only receiving security updates [1]

Add a cooldown similar to editor API to reduce the risk of supply chain attacks. It will also delay us updating to cutting edge new releases that might have issues.

Note that this doesn't dependabot security updates.

[1] - https://docs.github.com/en/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file
@zetter-rpf
Add a minimum age for NPM packages
94d0a88 
This reduces the risk of supply chain attacks by preventing us from installing  very new packages[1]. It also reduces the risk us from relying on a package that is removed (since it's harder to remove a package after a 72 hours[1])

While this does a similar task to the dependabot cooldown, it will also prevent us from installing new packages locally.

I've added our internal packages ot the pre-approved list as we often want to update these immediately after making changes.

I'm unsure how this interacts with dependabot - if it will still make PRs for security issues and if those updates might fail. This is something I will monitor.

I've chosen a slightly shorter cooldown compared to dependabot as I don't want this to be a barrier to us manually upgrading packages we intend to.

[1] - https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate
[2] - https://docs.npmjs.com/unpublishing-packages-from-the-registry
@zetter-rpf zetter-rpf temporarily deployed to previews/1465/merge May 13, 2026 10:02 — with GitHub Actions Inactive
@zetter-rpf zetter-rpf marked this pull request as ready for review May 13, 2026 10:02
Copilot AI review requested due to automatic review settings May 13, 2026 10:02
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens dependency-update hygiene by adding “cooldown”/minimum-age gates in both GitHub Dependabot and Yarn, reducing the chance of immediately ingesting newly published (and potentially risky) upstream releases.

Changes:

  • Configure Dependabot to run daily npm version checks while applying a cooldown period before proposing updates.
  • Configure Yarn’s npm resolution to require a minimum package-version age, with a small allowlist of preapproved packages.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.yarnrc.yml Adds Yarn npm minimum-age gating (npmMinimalAgeGate) plus an allowlist via npmPreapprovedPackages.
.github/dependabot.yml Introduces Dependabot configuration for npm updates with a cooldown and daily schedule.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zetter-rpf zetter-rpf marked this pull request as draft May 13, 2026 10:32
@zetter-rpf
Make yarn and docker work more like other environments
dd4ebf0 
We should be using the same corepack binary and yarnrc as other environments.

Perhaps adding 'nodeLinker: node-modules' was needed at one point, but it's now in the default yarn file.
@zetter-rpf zetter-rpf changed the title Improve dependency update management Improve the management of dependency updates May 13, 2026
@zetter-rpf zetter-rpf changed the title Improve the management of dependency updates Improve the security & management of dependency updates May 13, 2026
@zetter-rpf zetter-rpf marked this pull request as ready for review May 13, 2026 10:51
@zetter-rpf zetter-rpf changed the title Improve the security & management of dependency updates Use cooldowns to reduce the risk of supply chain attacks May 13, 2026
abcampo-iry
abcampo-iry approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@abcampo-iry abcampo-iry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks reasonable

@zetter-rpf zetter-rpf merged commit 5c666b5 into main May 14, 2026
7 checks passed
@zetter-rpf zetter-rpf deleted the dependency-update-management branch May 14, 2026 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@DNR500 DNR500 DNR500 approved these changes

@abcampo-iry abcampo-iry abcampo-iry approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zetter-rpf @DNR500 @abcampo-iry